Plugin Spotlight: RuggedOS Telnet Server Default 'factory' Account Backdoor

by Paul Asadoorian
May 14, 2012

Embedded Device Security Woes

Having researched embedded device security for quite some time, it never ceases to amaze me how manufacturers present vulnerabilities in their products. While I do not want to start picking on specific manufacturers (as the development process is not as easy as one might think), RuggedCom's Rugged Operating System (ROS) recently had a vulnerability disclosed. According to their website: "RuggedCom [a Siemens business unit] designs and manufactures rugged communications equipment for harsh environments." They produce a full product suite, from Ethernet switches to wireless networking, aimed at industrial (SCADA) usage.

A recent vulnerability detailed how remote management services, including TELNET and SSH on select firmware versions, contained a factory backdoor. The username of "factory" and a password derived from the MAC address could be used to log into the device. The MAC address for the devices is displayed in the login banner before entering the username and password. A post to the Full Disclosure mailing list on April 23, 2012, revealed this vulnerability to the public.

Scanning Your Network For The Vulnerability

Nessus plugin 58991, RuggedOS Telnet Server Default 'factory' Account Backdoor, was added to the plugin feed to detect this condition. When run against a vulnerable device, the results will look as follows:

Ruggedresults2
The "Plugin Output" section above lists the username and calculates the password according to the MAC address in the banner. When logging into the affected device, the output will look as follows:

[paul@laptop:~]$ telnet 192.168.1.224

Rugged Operating System v3.7.3 (Mar 22 2012 13:33)
Copyright (c) RuggedCom, 2008 - All rights reserved

System Name: Tenable1
Location: Tenable
Contact: Paul Asadoorian
Product: RMC30-48
MAC Address: 00-0A-DC-48-F6-8A
Serial Number: MC30-1111-11111

Enter User Name: factory

Enter Password: 344940278

factory access
Spare - PRI Sw Main Menu 2 ALARMS!


Administration
Ethernet Ports
Ethernet Stats
Link Aggregation
Spanning Tree
Virtual LANs
Port Security
Classes of Service
Multicast Filtering
MAC Address Tables
Network Discovery
Diagnostics


Z-Help S-Shell X-Logout

You can find more information about the affected devices and ROS security on RuggedCom's ROS security page. Not all products are affected, and according to their website, a fix for all affected firmware will be released in the next few weeks.

For further discussion of this vulnerability, listen to Tenable Podcast Episode 123, where we discuss how it may have come about and some of the fallout.

Special thanks to Justin Clarke for helping us validate the accuracy of this plugin.