Siemens Alert: Protect Your RUGGEDCOM APE1808 from New Security Holes – Patch Now or Panic Later!

Siemens’ tech glitch: Your RUGGEDCOM APE1808 might be serving cookies to hackers! CISA’s advisories have expired, but the vulnerabilities are fresher than ever. #SiemensSecuritySnafu

Hot Take:

Well, it looks like Siemens’ RUGGEDCOM APE1808 is the Swiss cheese of the industrial control world – full of holes and just waiting for a cybersecurity mouse to come nibbling. CISA’s opting out of the update game faster than a disillusioned IT intern, leaving Siemens to patch up their digital dairy product. But hey, at least there’s no shortage of patches… or are there?

Key Points:

  • Siemens RUGGEDCOM APE1808 has more vulnerabilities than a superhero’s tragic backstory.
  • Exploits include the classic XSS, privilege management snafus, denial of service – it’s a hacker’s buffet.
  • Siemens is handing out patches like candy on Halloween, except for that one house – CVE-2023-48795 – where you just get a toothbrush.
  • CISA’s like your friend who bails early from the party, no more updates from them on this topic.
  • Despite the vulnerabilities, public exploitation is currently more elusive than a coherent plot in a reality TV show.
Title: PAN-OS: XML API Keys Revoked by Read-Only PAN-OS Administrator
Cve id: CVE-2023-6793
Cve state: PUBLISHED
Cve assigner short name: palo_alto
Cve date updated: 12/13/2023
Cve description: An improper privilege management vulnerability in Palo Alto Networks PAN-OS software enables an authenticated read-only administrator to revoke active XML API keys from the firewall and disrupt XML API usage.

Title: PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in the Web Interface
Cve id: CVE-2023-6789
Cve state: PUBLISHED
Cve assigner short name: palo_alto
Cve date updated: 12/13/2023
Cve description: A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS software enables a malicious authenticated read-write administrator to store a JavaScript payload using the web interface. Then, when viewed by a properly authenticated administrator, the JavaScript payload executes and disguises all associated actions as performed by that unsuspecting authenticated administrator.

Title: PAN-OS: Insufficient Session Expiration Vulnerability in the Web Interface
Cve id: CVE-2024-0008
Cve state: PUBLISHED
Cve assigner short name: palo_alto
Cve date updated: 02/14/2024
Cve description: Web sessions in the management interface in Palo Alto Networks PAN-OS software do not expire in certain situations, making it susceptible to unauthorized access.

Cve id: CVE-2023-38802
Cve state: PUBLISHED
Cve assigner short name: mitre
Cve date updated: 11/15/2023
Cve description: FRRouting FRR 7.5.1 through 9.0 and Pica8 PICOS 4.3.3.2 allow a remote attacker to cause a denial of service via a crafted BGP update with a corrupted attribute 23 (Tunnel Encapsulation).

Cve id: CVE-2023-48795
Cve state: PUBLISHED
Cve assigner short name: mitre
Cve date updated: 03/13/2024
Cve description: The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remote attackers to bypass integrity checks such that some packets are omitted (from the extension negotiation message), and a client and server may consequently end up with a connection for which some security features have been downgraded or disabled, aka a Terrapin attack. This occurs because the SSH Binary Packet Protocol (BPP), implemented by these extensions, mishandles the handshake phase and mishandles use of sequence numbers. For example, there is an effective attack against SSH's use of ChaCha20-Poly1305 (and CBC with Encrypt-then-MAC). The bypass occurs in chacha20-poly1305@openssh.com and (if CBC is used) the -etm@openssh.com MAC algorithms. This also affects Maverick Synergy Java SSH API before 3.1.0-SNAPSHOT, Dropbear through 2022.83, Ssh before 5.1.1 in Erlang/OTP, PuTTY before 0.80, AsyncSSH before 2.14.2, golang.org/x/crypto before 0.17.0, libssh before 0.10.6, libssh2 through 1.11.0, Thorn Tech SFTP Gateway before 3.4.6, Tera Term before 5.1, Paramiko before 3.4.0, jsch before 0.2.15, SFTPGo before 2.5.6, Netgate pfSense Plus through 23.09.1, Netgate pfSense CE through 2.7.2, HPN-SSH through 18.2.0, ProFTPD before 1.3.8b (and before 1.3.9rc2), ORYX CycloneSSH before 2.3.4, NetSarang XShell 7 before Build 0144, CrushFTP before 10.6.0, ConnectBot SSH library before 2.2.22, Apache MINA sshd through 2.11.0, sshj through 0.37.0, TinySSH through 20230101, trilead-ssh2 6401, LANCOM LCOS and LANconfig, FileZilla before 3.66.4, Nova before 11.8, PKIX-SSH before 14.4, SecureCRT before 9.4.3, Transmit5 before 5.10.4, Win32-OpenSSH before 9.5.0.0p1-Beta, WinSCP before 6.2.2, Bitvise SSH Server before 9.32, Bitvise SSH Client before 9.33, KiTTY through 0.76.1.13, the net-ssh gem 7.2.0 for Ruby, the mscdex ssh2 module before 1.15.0 for Node.js, the thrussh library before 0.35.1 for Rust, and the Russh crate before 0.40.2 for Rust.

Need to know more?

Security Advisory or Patchwork Quilt?

You thought your grandma's patchwork quilt had a lot of pieces? Wait until you see Siemens' patch list for the RUGGEDCOM APE1808. It’s a cybersecurity patchwork masterpiece with vulnerabilities ranging from cross-site scripting to improper privilege management. Just don't get too comfy under this quilt; it's got more exposed threats than a winter cabin with a broken window.

Remote Exploitation: Not Just for Sci-Fi Anymore

Imagine being able to cause chaos from the comfort of your own lair – and no, we're not talking about your mom's basement. These vulnerabilities could let a cyber villain remotely disrupt services or even execute code without stepping foot in the building. It's the kind of power that would make a Bond villain blush.

Denial of Service: Cyber Style

Some folks deny service by putting up a "Closed" sign, but in the cyber world, we do it with a little more flair. Thanks to a tasty little BGP update, attackers could knock services offline faster than you can say "router reboot." And let’s not forget the SSH protocol issues that make the security features seem more optional than a salad at a barbecue.

Advice from the Cybersecurity Chef

Siemens is dishing out advice like a cybersecurity Gordon Ramsay, minus the colorful metaphors. They're serving up a full course of recommendations, from contacting customer support for patches to configuring your SSH profile. Just make sure you follow the recipe to avoid an undercooked security posture.

CISA's Parting Gift

Like a guest who leaves the party early but still wants to help clean up, CISA has offered some final nuggets of wisdom. They're all about minimizing exposure and isolating networks, kind of like social distancing for your control systems. They also advocate for VPNs, but with the caveat that they're only as secure as the devices they connect to – so maybe don't use your smart fridge as a VPN endpoint.

Remember, while the public exploitation isn't as rampant as a raccoon in a trash can, it's better to be safe than sorry. After all, cybersecurity isn't just a job; it's an adventure – one where you ideally keep all your data and dignity intact.

Tags: Critical Infrastructure Protection, Cross-Site Scripting (XSS), CVSS score, industrial control systems, Palo Alto Networks, Siemens RUGGEDCOM APE1808, vulnerability management