Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Plugin Spotlight: RuggedOS Telnet Server Default 'factory' Account Backdoor

Embedded Device Security Woes

Having researched embedded device security for quite some time, it never ceases to amaze me how manufacturers present vulnerabilities in their products. While I do not want to start picking on specific manufacturers (as the development process is not as easy as one might think), RuggedCom's Rugged Operating System (ROS) recently had a vulnerability disclosed. According to their website: "RuggedCom [a Siemens business unit] designs and manufactures rugged communications equipment for harsh environments." They produce a full product suite, from Ethernet switches to wireless networking, aimed at industrial (SCADA) usage.

A recent vulnerability detailed how remote management services, including TELNET and SSH on select firmware versions, contained a factory backdoor. The username of "factory" and a password derived from the MAC address could be used to log into the device. The MAC address for the devices is displayed in the login banner before entering the username and password. A post to the Full Disclosure mailing list on April 23, 2012, revealed this vulnerability to the public.

Scanning Your Network For The Vulnerability

Nessus plugin 58991, RuggedOS Telnet Server Default 'factory' Account Backdoor, was added to the plugin feed to detect this condition. When run against a vulnerable device, the results will look as follows:

Ruggedresults2
The "Plugin Output" section above lists the username and calculates the password according to the MAC address in the banner. When logging into the affected device, the output will look as follows:

[[email protected]:~]$ telnet 192.168.1.224

Rugged Operating System v3.7.3 (Mar 22 2012 13:33)
Copyright (c) RuggedCom, 2008 - All rights reserved

System Name: Tenable1
Location: Tenable
Contact: Paul Asadoorian
Product: RMC30-48
MAC Address: 00-0A-DC-48-F6-8A
Serial Number: MC30-1111-11111

Enter User Name: factory

Enter Password: 344940278

factory access
Spare - PRI Sw Main Menu 2 ALARMS!


Administration
Ethernet Ports
Ethernet Stats
Link Aggregation
Spanning Tree
Virtual LANs
Port Security
Classes of Service
Multicast Filtering
MAC Address Tables
Network Discovery
Diagnostics


Z-Help S-Shell X-Logout

You can find more information about the affected devices and ROS security on RuggedCom's ROS security page. Not all products are affected, and according to their website, a fix for all affected firmware will be released in the next few weeks.

For further discussion of this vulnerability, listen to Tenable Podcast Episode 123, where we discuss how it may have come about and some of the fallout.

Special thanks to Justin Clarke for helping us validate the accuracy of this plugin.

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io Vulnerability Management

FREE FOR 60 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now and run your first scan within 60 seconds.

Buy Tenable.io Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.