-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 # SSA-256353: Third-Party Component Vulnerabilities in RUGGEDCOM ROS Publication Date: 2022-03-08 Last Update: 2023-12-12 Current Version: 1.5 CVSS v3.1 Base Score: 9.6 SUMMARY ======= Multiple vulnerabilities affect various third-party components of the RUGGEDCOM Operating System (ROS). If exploited, an attacker could cause a denial-of-service, act as a man-in-the-middle or retrieval of sensitive information or gain privileged functions. Siemens has released updates for the affected products and recommends to update to the latest versions. AFFECTED PRODUCTS AND SOLUTION ============================== * RUGGEDCOM i800 - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM i800NC - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM i801 - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM i801NC - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM i802 - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM i802NC - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM i803 - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM i803NC - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM M969 - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM M969F - Affected versions: All versions - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42016 CVE-2021-42017 CVE-2021-42018 CVE-2021-42019 - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * RUGGEDCOM M969NC - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM M2100 - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM M2100F - Affected versions: All versions - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42016 CVE-2021-42017 CVE-2021-42018 CVE-2021-42019 - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * RUGGEDCOM M2100NC - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM M2200 - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM M2200F - Affected versions: All versions - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42016 CVE-2021-42017 CVE-2021-42018 CVE-2021-42019 - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * RUGGEDCOM M2200NC - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RMC30 - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RMC30NC - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RMC8388 V4.X - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RMC8388 V5.X - Affected versions: All versions < V5.6.0 - Remediation: Update to V5.6.0 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109806156/ * RUGGEDCOM RMC8388NC V4.X - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RMC8388NC V5.X - Affected versions: All versions < V5.6.0 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V5.6.0 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109806156/ * RUGGEDCOM RP110 - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RP110NC - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS400 - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS400F - Affected versions: All versions - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42016 CVE-2021-42017 CVE-2021-42018 CVE-2021-42019 - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * RUGGEDCOM RS400NC - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS401 - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS401NC - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS416 - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS416F - Affected versions: All versions - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42016 CVE-2021-42017 CVE-2021-42018 CVE-2021-42019 - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * RUGGEDCOM RS416NC - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS416NCv2 V4.X - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS416NCv2 V5.X - Affected versions: All versions < V5.6.0 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V5.6.0 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109806156/ * RUGGEDCOM RS416P - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS416PF - Affected versions: All versions - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42016 CVE-2021-42017 CVE-2021-42018 CVE-2021-42019 - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * RUGGEDCOM RS416PNC - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS416PNCv2 V4.X - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS416PNCv2 V5.X - Affected versions: All versions < V5.6.0 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V5.6.0 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109806156/ * RUGGEDCOM RS416Pv2 V4.X - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS416Pv2 V5.X - Affected versions: All versions < V5.6.0 - Remediation: Update to V5.6.0 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109806156/ * RUGGEDCOM RS416v2 V4.X - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS416v2 V5.X - Affected versions: All versions < V5.6.0 - Remediation: Update to V5.6.0 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109806156/ * RUGGEDCOM RS900 - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS900 (32M) V4.X - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS900 (32M) V5.X - Affected versions: All versions < V5.6.0 - Remediation: Update to V5.6.0 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109806156/ * RUGGEDCOM RS900F - Affected versions: All versions - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42016 CVE-2021-42017 CVE-2021-42018 CVE-2021-42019 - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * RUGGEDCOM RS900G - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS900G (32M) V4.X - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS900G (32M) V5.X - Affected versions: All versions < V5.6.0 - Remediation: Update to V5.6.0 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109806156/ * RUGGEDCOM RS900GF - Affected versions: All versions - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42016 CVE-2021-42017 CVE-2021-42018 CVE-2021-42019 - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * RUGGEDCOM RS900GNC - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS900GNC(32M) V4.X - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS900GNC(32M) V5.X - Affected versions: All versions < V5.6.0 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V5.6.0 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109806156/ * RUGGEDCOM RS900GP - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS900GPF - Affected versions: All versions - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42016 CVE-2021-42017 CVE-2021-42018 CVE-2021-42019 - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * RUGGEDCOM RS900GPNC - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS900L - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS900LNC - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS900M-GETS-C01 - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS900M-GETS-XX - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS900M-STND-C01 - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS900M-STND-XX - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS900MNC-GETS-C01 - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS900MNC-GETS-XX - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS900MNC-STND-XX - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS900MNC-STND-XX-C01 - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS900NC - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS900NC(32M) V4.X - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS900NC(32M) V5.X - Affected versions: All versions < V5.6.0 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V5.6.0 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109806156/ * RUGGEDCOM RS900W - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS910 - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS910L - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS910LNC - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS910NC - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS910W - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS920L - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS920LNC - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS920W - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS930L - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS930LNC - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS930W - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS940G - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS940GF - Affected versions: All versions - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42016 CVE-2021-42017 CVE-2021-42018 CVE-2021-42019 - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * RUGGEDCOM RS940GNC - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS969 - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS969NC - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS1600 - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS1600F - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS1600FNC - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS1600NC - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS1600T - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS1600TNC - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS8000 - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS8000A - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS8000ANC - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS8000H - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS8000HNC - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS8000NC - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS8000T - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RS8000TNC - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RSG907R - Affected versions: All versions < V5.6.0 - Remediation: Update to V5.6.0 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109806156/ * RUGGEDCOM RSG908C - Affected versions: All versions < V5.6.0 - Remediation: Update to V5.6.0 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109806156/ * RUGGEDCOM RSG909R - Affected versions: All versions < V5.6.0 - Remediation: Update to V5.6.0 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109806156/ * RUGGEDCOM RSG910C - Affected versions: All versions < V5.6.0 - Remediation: Update to V5.6.0 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109806156/ * RUGGEDCOM RSG920P V4.X - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RSG920P V5.X - Affected versions: All versions < V5.6.0 - Remediation: Update to V5.6.0 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109806156/ * RUGGEDCOM RSG920PNC V4.X - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RSG920PNC V5.X - Affected versions: All versions < V5.6.0 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V5.6.0 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109806156/ * RUGGEDCOM RSG2100 - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RSG2100 (32M) V4.X - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RSG2100 (32M) V5.X - Affected versions: All versions < V5.6.0 - Remediation: Update to V5.6.0 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109806156/ * RUGGEDCOM RSG2100F - Affected versions: All versions - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42016 CVE-2021-42017 CVE-2021-42018 CVE-2021-42019 - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * RUGGEDCOM RSG2100NC - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RSG2100NC(32M) V4.X - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RSG2100NC(32M) V5.X - Affected versions: All versions < V5.6.0 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V5.6.0 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109806156/ * RUGGEDCOM RSG2100P - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RSG2100PF - Affected versions: All versions - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42016 CVE-2021-42017 CVE-2021-42018 CVE-2021-42019 - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * RUGGEDCOM RSG2100PNC - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RSG2200 - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RSG2200F - Affected versions: All versions - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42016 CVE-2021-42017 CVE-2021-42018 CVE-2021-42019 - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * RUGGEDCOM RSG2200NC - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RSG2288 V4.X - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RSG2288 V5.X - Affected versions: All versions < V5.6.0 - Remediation: Update to V5.6.0 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109806156/ * RUGGEDCOM RSG2288NC V4.X - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RSG2288NC V5.X - Affected versions: All versions < V5.6.0 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V5.6.0 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109806156/ * RUGGEDCOM RSG2300 V4.X - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RSG2300 V5.X - Affected versions: All versions < V5.6.0 - Remediation: Update to V5.6.0 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109806156/ * RUGGEDCOM RSG2300F - Affected versions: All versions - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42016 CVE-2021-42017 CVE-2021-42018 CVE-2021-42019 - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * RUGGEDCOM RSG2300NC V4.X - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RSG2300NC V5.X - Affected versions: All versions < V5.6.0 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V5.6.0 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109806156/ * RUGGEDCOM RSG2300P V4.X - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RSG2300P V5.X - Affected versions: All versions < V5.6.0 - Remediation: Update to V5.6.0 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109806156/ * RUGGEDCOM RSG2300PF - Affected versions: All versions - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42016 CVE-2021-42017 CVE-2021-42018 CVE-2021-42019 - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * RUGGEDCOM RSG2300PNC V4.X - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RSG2300PNC V5.X - Affected versions: All versions < V5.6.0 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V5.6.0 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109806156/ * RUGGEDCOM RSG2488 V4.X - Affected versions: All versions < V4.3.8 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RSG2488 V5.X - Affected versions: All versions < V5.6.0 - Remediation: Update to V5.6.0 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109806156/ * RUGGEDCOM RSG2488F - Affected versions: All versions - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42016 CVE-2021-42017 CVE-2021-42018 CVE-2021-42019 - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * RUGGEDCOM RSG2488NC V4.X - Affected versions: All versions < V4.3.8 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V4.3.8 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109816735/ * RUGGEDCOM RSG2488NC V5.X - Affected versions: All versions < V5.6.0 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V5.6.0 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109806156/ * RUGGEDCOM RSL910 - Affected versions: All versions < V5.6.0 - Remediation: Update to V5.6.0 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109806156/ * RUGGEDCOM RSL910NC - Affected versions: All versions < V5.6.0 - Affected by vulnerabilities: CVE-2021-37208 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020 - Remediation: Update to V5.6.0 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109806156/ * RUGGEDCOM RST916C - Affected versions: All versions < V5.6.0 - Remediation: Update to V5.6.0 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109806156/ * RUGGEDCOM RST916P - Affected versions: All versions < V5.6.0 - Remediation: Update to V5.6.0 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109806156/ * RUGGEDCOM RST2228 - Affected versions: All versions < V5.6.0 - Remediation: Update to V5.6.0 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109806156/ * RUGGEDCOM RST2228P - Affected versions: All versions < V5.6.0 - Remediation: Update to V5.6.0 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109806156/ WORKAROUNDS AND MITIGATIONS =========================== Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk: * Restrict web server access in affected system(s) to ports 443/TCP and 22/TCP, to trusted IP addresses only * Restrict access to port 69/UDP to trusted IP addresses only, for the TFTP vulnerability Product-specific remediations or mitigations can be found in the section "Affected Products and Solution". Please follow the "General Security Recommendations". GENERAL SECURITY RECOMMENDATIONS ================================ As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial- security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity PRODUCT DESCRIPTION =================== RUGGEDCOM ROS-based devices, typically switches and serial-to-Ethernet devices, are used to connect devices that operate in harsh environments such as electric utility substations and traffic control cabinets. VULNERABILITY CLASSIFICATION ============================ The vulnerability classification has been performed by using the CVSS scoring system in version 3.1 (CVSS v3.1) (https://www.first.org/cvss/). The CVSS environmental score is specific to the customer's environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring. An additional classification has been performed using the CWE classification, a community-developed list of common software security weaknesses. This serves as a common language and as a baseline for weakness identification, mitigation, and prevention efforts. A detailed list of CWE classes can be found at: https://cwe.mitre.org/. * Vulnerability CVE-2021-37208 Improper neutralization of special characters on the web server configuration page could allow an attacker, in a privileged position, to retrieve sensitive information via cross-site scripting. CVSS v3.1 Base Score: 9.6 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:H/E:P/RL:T/RC:C CWE: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') * Vulnerability CVE-2021-42016 A timing attack, in a third-party component, could make the retrieval of the private key possible, used for encryption of sensitive data. If a threat actor were to exploit this, the data integrity and security could be compromised. CVSS v3.1 Base Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C CWE: CWE-208: Observable Timing Discrepancy * Vulnerability CVE-2021-42017 A new variant of the POODLE attack has left a third-party component vulnerable due to the implementation flaws of the CBC encryption mode in TLS 1.0 to 1.2. If an attacker were to exploit this, they could act as a man-in-the- middle and eavesdrop on encrypted communications. CVSS v3.1 Base Score: 5.9 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C CWE: CWE-358: Improperly Implemented Security Check for Standard * Vulnerability CVE-2021-42018 Within a third-party component, whenever memory allocation is requested, the out of bound size is not checked. Therefore, if size exceeding the expected allocation is assigned, it could allocate a smaller buffer instead. If an attacker were to exploit this, they could cause a heap overflow. CVSS v3.1 Base Score: 5.9 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C CWE: CWE-122: Heap-based Buffer Overflow * Vulnerability CVE-2021-42019 Within a third-party component, the process to allocate partition size fails to check memory boundaries. Therefore, if a large amount is requested by an attacker, due to an integer-wrap around, it could result in a small size being allocated instead. CVSS v3.1 Base Score: 5.9 CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:H/E:P/RL:O/RC:C CWE: CWE-190: Integer Overflow or Wraparound * Vulnerability CVE-2021-42020 The third-party component, in its TFTP functionality fails to check for null terminations in file names. If an attacker were to exploit this, it could result in data corruption, and possibly a hard-fault of the application. CVSS v3.1 Base Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C CWE: CWE-754: Improper Check for Unusual or Exceptional Conditions ACKNOWLEDGMENTS =============== Siemens thanks the following party for its efforts: * Siemens Energy for coordinated disclosure of CVE-2021-37208 ADDITIONAL INFORMATION ====================== On FIPS devices, if the TFTP feature is turned on, it is no longer considered to be in FIPS mode and considered as regular ROS device (described in FIPS user manual) For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories HISTORY DATA ============ V1.0 (2022-03-08): Publication Date V1.1 (2022-03-11): Corrected the list of affected products and fix releases V1.2 (2022-04-12): Added acknowledgements V1.3 (2023-03-14): Corrected the list of affected products and added fix for V4.3.8 V1.4 (2023-04-11): Added multiple missing affected products (only affected by CVE-2021-37208, CVE-2021-42016, CVE-2021-42017, CVE-2021-42018 and CVE-2021-42019) with no fix currently planned V1.5 (2023-12-12): Added missing affected products: RUGGEDCOM RS416NCv2 V4.X, RUGGEDCOM RS416PNCv2 V4.x, RUGGEDCOM RS416v2 V4.X, RUGGEDCOM RS416Pv2 V4.X. Adjusted the name of RUGGEDCOM RS416NCv2 V5.X, RUGGEDCOM RS416PNCv2 V5.x, RUGGEDCOM RS416v2 V5.X, RUGGEDCOM RS416Pv2 V5.X (added reference to V5.X). Added Additional note for FIPS devices TERMS OF USE ============ Siemens Security Advisories are subject to the terms and conditions contained in Siemens' underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens' Global Website (https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use. Copyright: Siemens 2023 -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEch+g+vCfo0skv7l6x5aGHHWng/oFAmV3ooAACgkQx5aGHHWn g/oiFxAAvy+idrWq4dfB88mcQnmhki+cjueEIcDrJOGkDtp1iZFyBSZf6PCHgOSD kzjuenpTbaiP4AFWWtW8GFGvSeW2Ey/YrV2YSn5W6C3WGMpCJQCi/ijflQm5YLRg 2BG/wxu6arlO/rX9FoxwXDqESIv6J2igecrq3FQ7qW6zcuTT2SPssnqh/TsU+PWF F1eB5qqlTxDcTI/Ca1fyi/3dynVr4gJtgy6yL+aae4/UgaL/eJJ1vGppdPP5bvMl ksZS6tkbDjkwXza8JjNUXgrrFUlJZDBWvoTzOLVoKV1EaX88z8wZEmsJK0YWm8Uc WkrW+sjN//oHBIRZna+HIfnIlk26Cb70gGNY4G7Ag8U6dSRsaydQsEJFu80xpcKj LL15n3i/cg2HVtLfVWSMd6Iel1OBGtcAtVjSOHzkv2Yu7fhYAVxQTG+cVhEauBC7 678XE8QfJxz57qXeLFtVLA9MeDxnDHlKLukDOIasO6zPrP7aKKppCgrjF9+uqaiy aciiaSuwAdz/8N8Ye19PtI4w+wfw0S0wCCtHy4us3bBQFH0rGcscr66Ob6YzhNvP unJ0KjGf9nqQvTFiU1xWqTP4RwC8oj7/LpQNHi9imveHU54Yb3c/Tj1CoNqxAPlZ VCONyqunMPlil6ZYC/3C3KRjKBXVXwZvflOmZSbcWx0b3JOKsoI= =O1L3 -----END PGP SIGNATURE-----