Plugin Spotlight: RuggedOS Telnet Server Default 'factory' Account Backdoor
Embedded Device Security Woes
Having researched embedded device security for quite some time, it never ceases to amaze me how manufacturers present vulnerabilities in their products. While I do not want to start picking on specific manufacturers (as the development process is not as easy as one might think), RuggedCom's Rugged Operating System (ROS) recently had a vulnerability disclosed. According to their website: "RuggedCom [a Siemens business unit] designs and manufactures rugged communications equipment for harsh environments." They produce a full product suite, from Ethernet switches to wireless networking, aimed at industrial (SCADA) usage.
A recent vulnerability detailed how remote management services, including TELNET and SSH on select firmware versions, contained a factory backdoor. The username of "factory" and a password derived from the MAC address could be used to log into the device. The MAC address for the devices is displayed in the login banner before entering the username and password. A post to the Full Disclosure mailing list on April 23, 2012, revealed this vulnerability to the public.
Scanning Your Network For The Vulnerability
Nessus plugin 58991, RuggedOS Telnet Server Default 'factory' Account Backdoor, was added to the plugin feed to detect this condition. When run against a vulnerable device, the results will look as follows:
The "Plugin Output" section above lists the username and calculates the password according to the MAC address in the banner. When logging into the affected device, the output will look as follows:
[paul@laptop:~]$ telnet 192.168.1.224
You can find more information about the affected devices and ROS security on RuggedCom's ROS security page. Not all products are affected, and according to their website, a fix for all affected firmware will be released in the next few weeks.
For further discussion of this vulnerability, listen to Tenable Podcast Episode 123, where we discuss how it may have come about and some of the fallout.
Special thanks to Justin Clarke for helping us validate the accuracy of this plugin.