Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Plugin Spotlight: RuggedOS Telnet Server Default 'factory' Account Backdoor

Embedded Device Security Woes

Having researched embedded device security for quite some time, it never ceases to amaze me how manufacturers present vulnerabilities in their products. While I do not want to start picking on specific manufacturers (as the development process is not as easy as one might think), RuggedCom's Rugged Operating System (ROS) recently had a vulnerability disclosed. According to their website: "RuggedCom [a Siemens business unit] designs and manufactures rugged communications equipment for harsh environments." They produce a full product suite, from Ethernet switches to wireless networking, aimed at industrial (SCADA) usage.

A recent vulnerability detailed how remote management services, including TELNET and SSH on select firmware versions, contained a factory backdoor. The username of "factory" and a password derived from the MAC address could be used to log into the device. The MAC address for the devices is displayed in the login banner before entering the username and password. A post to the Full Disclosure mailing list on April 23, 2012, revealed this vulnerability to the public.

Scanning Your Network For The Vulnerability

Nessus plugin 58991, RuggedOS Telnet Server Default 'factory' Account Backdoor, was added to the plugin feed to detect this condition. When run against a vulnerable device, the results will look as follows:

Ruggedresults2
The "Plugin Output" section above lists the username and calculates the password according to the MAC address in the banner. When logging into the affected device, the output will look as follows:

[[email protected]:~]$ telnet 192.168.1.224

Rugged Operating System v3.7.3 (Mar 22 2012 13:33)
Copyright (c) RuggedCom, 2008 - All rights reserved

System Name: Tenable1
Location: Tenable
Contact: Paul Asadoorian
Product: RMC30-48
MAC Address: 00-0A-DC-48-F6-8A
Serial Number: MC30-1111-11111

Enter User Name: factory

Enter Password: 344940278

factory access
Spare - PRI Sw Main Menu 2 ALARMS!


Administration
Ethernet Ports
Ethernet Stats
Link Aggregation
Spanning Tree
Virtual LANs
Port Security
Classes of Service
Multicast Filtering
MAC Address Tables
Network Discovery
Diagnostics


Z-Help S-Shell X-Logout

You can find more information about the affected devices and ROS security on RuggedCom's ROS security page. Not all products are affected, and according to their website, a fix for all affected firmware will be released in the next few weeks.

For further discussion of this vulnerability, listen to Tenable Podcast Episode 123, where we discuss how it may have come about and some of the fallout.

Special thanks to Justin Clarke for helping us validate the accuracy of this plugin.

Subscribe to the Tenable Blog

Subscribe
Try for Free Buy Now

Try Tenable.io

FREE FOR 30 DAYS

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Sign up now.

Buy Tenable.io

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

65 assets

$2,275

Buy Now

Try for Free Buy Now

Try Nessus Professional Free

FREE FOR 7 DAYS

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy Nessus Professional

Nessus® is the most comprehensive vulnerability scanner on the market today. Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, email, community and chat support 24 hours a day, 365 days a year. Full details here.

Try for Free Buy Now

Try Tenable.io Web Application Scanning

FREE FOR 30 DAYS

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable.io platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Buy Tenable.io Web Application Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try for Free Contact Sales

Try Tenable.io Container Security

FREE FOR 30 DAYS

Enjoy full access to the only container security offering integrated into a vulnerability management platform. Monitor container images for vulnerabilities, malware and policy violations. Integrate with continuous integration and continuous deployment (CI/CD) systems to support DevOps practices, strengthen security and support enterprise policy compliance.

Buy Tenable.io Container Security

Tenable.io Container Security seamlessly and securely enables DevOps processes by providing visibility into the security of container images – including vulnerabilities, malware and policy violations – through integration with the build process.

Learn More about Industrial Security

Get a Demo of Tenable.sc

Please fill out the form below with your contact information and a sales representative will contact you shortly to schedule a demo. You may also include a short comment (limited to 255 characters). Please note that fields with asterisks (*) are mandatory.

Try for Free Contact Sales

Try Tenable Lumin

FREE FOR 30 DAYS

Visualize and explore your Cyber Exposure, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Buy Tenable Lumin

Contact a Sales Representative to see how Lumin can help you gain insight across your entire organization and manage cyber risk.