Sign-up

ID

VAR-201508-0255


CVE

CVE-2015-5537


TITLE

Rugged Operating System (ROS) SSL 3.0 Protocol downgrade SSL Decryption vulnerability

Trust: 0.8

sources: IVD: 808fa976-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-04983

DESCRIPTION

The SSL layer of the HTTPS service in Siemens RuggedCom ROS before 4.2.0 and ROX II does not properly implement CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a different vulnerability than CVE-2014-3566. This vulnerability CVE-2014-3566 Is a different vulnerability.Man-in-the-middle attacks (man-in-the-middle attack) May get plain text data through padding oracle attacks. RuggedCom Inc. is the world's leading manufacturer of high performance networking and communications equipment for industrial environments. The Rugged Operating System (ROS) has a security vulnerability that allows an attacker to reduce the client to SSLv3 through a man-in-the-middle attack instead of the TLS v1.x protocol, and then use the BEAST type of attack to decrypt the communication. Siemens RuggedCom ROS and ROX devices are prone to an information disclosure vulnerability. An attacker can exploit this issue to perform man-in-the-middle attacks and obtain sensitive information. Successful exploits will lead to other attacks. Siemens RuggedCom ROS and ROX II is a set of operating systems used in RuggedCom series switches from Siemens, Germany. The vulnerability stems from the fact that the program does not implement CBC padding correctly

Trust: 2.7

sources: NVD: CVE-2015-5537 // JVNDB: JVNDB-2015-003967 // CNVD: CNVD-2015-04983 // BID: 75982 // IVD: 808fa976-2351-11e6-abef-000c29c66e3d // VULHUB: VHN-83498

IOT TAXONOMY

category:['ICS', 'Network device']sub_category: -

Trust: 0.6

category:['ICS']sub_category: -

Trust: 0.2

sources: IVD: 808fa976-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-04983

AFFECTED PRODUCTS

vendor:siemensmodel:ruggedcom rox iiscope:eqversion: -

Trust: 1.0

vendor:siemensmodel:ruggedcom rugged operating systemscope:ltversion:4.2.0

Trust: 1.0

vendor:siemensmodel:ruggedcom rugged operating systemscope:ltversion:(ros) 4.2.0

Trust: 0.8

vendor:siemensmodel:ruggedcom rugged operating system on linux iiscope: - version: -

Trust: 0.8

vendor:ruggedcommodel:rugged operating systemscope: - version: -

Trust: 0.6

vendor:siemensmodel:ruggedcom rugged operating systemscope:eqversion:4.1.0

Trust: 0.6

vendor:siemensmodel:ruggedcom rugged operating system on linux iiscope:eqversion: -

Trust: 0.6

vendor:ruggedcom rugged operating systemmodel: - scope:eqversion:*

Trust: 0.2

vendor:ruggedcom rugged operating system on linux iimodel: - scope:eqversion: -

Trust: 0.2

sources: IVD: 808fa976-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-04983 // JVNDB: JVNDB-2015-003967 // CNNVD: CNNVD-201507-740 // NVD: CVE-2015-5537

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-5537
value: MEDIUM

Trust: 1.0

NVD: CVE-2015-5537
value: MEDIUM

Trust: 0.8

CNVD: CNVD-2015-04983
value: MEDIUM

Trust: 0.6

CNNVD: CNNVD-201507-740
value: MEDIUM

Trust: 0.6

IVD: 808fa976-2351-11e6-abef-000c29c66e3d
value: MEDIUM

Trust: 0.2

VULHUB: VHN-83498
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-5537
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

CNVD: CNVD-2015-04983
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.6

IVD: 808fa976-2351-11e6-abef-000c29c66e3d
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.9 [IVD]

Trust: 0.2

VULHUB: VHN-83498
severity: MEDIUM
baseScore: 4.3
vectorString: AV:N/AC:M/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 8.6
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: IVD: 808fa976-2351-11e6-abef-000c29c66e3d // CNVD: CNVD-2015-04983 // VULHUB: VHN-83498 // JVNDB: JVNDB-2015-003967 // CNNVD: CNNVD-201507-740 // NVD: CVE-2015-5537

PROBLEMTYPE DATA

problemtype:CWE-312

Trust: 1.0

problemtype:CWE-310

Trust: 0.9

sources: VULHUB: VHN-83498 // JVNDB: JVNDB-2015-003967 // NVD: CVE-2015-5537

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201507-740

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-201507-740

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-003967

PATCH
title:SSA-396873url:http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-396873.pdf
Trust: 0.8
title:Rugged Operating System (ROS) SSL 3.0 protocol downgrades SSL decryption vulnerability patchurl:https://www.cnvd.org.cn/patchInfo/show/61675
Trust: 0.6
title:Siemens RuggedCom ROS  and ROX II Repair measures for device information disclosure vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=180266
Trust: 0.6
sources:
            
            
            CNVD: CNVD-2015-04983 // 
            
            
            
            JVNDB: JVNDB-2015-003967 // 
            
            
            
            CNNVD: CNNVD-201507-740

EXTERNAL IDS
db:NVDid:CVE-2015-5537
Trust: 3.6
db:ICS CERTid:ICSA-15-202-03A
Trust: 2.5
db:SIEMENSid:SSA-396873
Trust: 2.3
db:SECTRACKid:1033022
Trust: 1.7
db:BIDid:75982
Trust: 1.0
db:CNNVDid:CNNVD-201507-740
Trust: 0.9
db:CNVDid:CNVD-2015-04983
Trust: 0.8
db:JVNDBid:JVNDB-2015-003967
Trust: 0.8
db:IVDid:808FA976-2351-11E6-ABEF-000C29C66E3D
Trust: 0.2
db:SEEBUGid:SSVID-89505
Trust: 0.1
db:VULHUBid:VHN-83498
Trust: 0.1
sources:
            
            
            IVD: 808fa976-2351-11e6-abef-000c29c66e3d // 
            
            
            
            CNVD: CNVD-2015-04983 // 
            
            
            
            VULHUB: VHN-83498 // 
            
            
            
            BID: 75982 // 
            
            
            
            JVNDB: JVNDB-2015-003967 // 
            
            
            
            CNNVD: CNNVD-201507-740 // 
            
            
            
            NVD: CVE-2015-5537

REFERENCES
url:https://ics-cert.us-cert.gov/advisories/icsa-15-202-03a
Trust: 2.5
url:http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-396873.pdf
Trust: 2.3
url:http://www.securitytracker.com/id/1033022
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-5537
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-5537
Trust: 0.8
url:http://subscriber.communications.siemens.com/
Trust: 0.3
sources:
            
            
            CNVD: CNVD-2015-04983 // 
            
            
            
            VULHUB: VHN-83498 // 
            
            
            
            BID: 75982 // 
            
            
            
            JVNDB: JVNDB-2015-003967 // 
            
            
            
            CNNVD: CNNVD-201507-740 // 
            
            
            
            NVD: CVE-2015-5537

CREDITS
The vendor reported this issue.
Trust: 0.3
sources:
            
            
            BID: 75982

SOURCES
db:IVDid:808fa976-2351-11e6-abef-000c29c66e3d
db:CNVDid:CNVD-2015-04983
db:VULHUBid:VHN-83498
db:BIDid:75982
db:JVNDBid:JVNDB-2015-003967
db:CNNVDid:CNNVD-201507-740
db:NVDid:CVE-2015-5537

LAST UPDATE DATE
2024-11-23T22:59:31.744000+00:00

SOURCES UPDATE DATE
db:CNVDid:CNVD-2015-04983date:2015-07-29T00:00:00
db:VULHUBid:VHN-83498date:2017-09-21T00:00:00
db:BIDid:75982date:2015-07-22T00:00:00
db:JVNDBid:JVNDB-2015-003967date:2015-08-04T00:00:00
db:CNNVDid:CNNVD-201507-740date:2022-02-07T00:00:00
db:NVDid:CVE-2015-5537date:2024-11-21T02:33:13.763

SOURCES RELEASE DATE
db:IVDid:808fa976-2351-11e6-abef-000c29c66e3ddate:2015-07-29T00:00:00
db:CNVDid:CNVD-2015-04983date:2015-07-28T00:00:00
db:VULHUBid:VHN-83498date:2015-08-03T00:00:00
db:BIDid:75982date:2015-07-22T00:00:00
db:JVNDBid:JVNDB-2015-003967date:2015-08-04T00:00:00
db:CNNVDid:CNNVD-201507-740date:2015-07-23T00:00:00
db:NVDid:CVE-2015-5537date:2015-08-03T01:59:02.903