cbcvebase.
CVE-2012-1803
published 2012-04-28

CVE-2012-1803: RuggedCom Rugged Operating System (ROS) 3.10.x and earlier has a factory account with a password derived from the MAC Address field in the banner, which makes…

PriorityP273high8.5CVSS 2.0
AVNACMAuSCCICAC
EXPLOIT
EPSS
49.11%
98.7th percentile
RuggedCom Rugged Operating System (ROS) 3.10.x and earlier has a factory account with a password derived from the MAC Address field in the banner, which makes it easier for remote attackers to obtain access by performing a calculation on this address value, and then establishing a (1) TELNET, (2) remote shell (aka rsh), or (3) serial-console session.

Affected

2 ranges
VendorProductVersion rangeFixed in
siemensruggedcom_rugged_operating_system< 3.3.03.3.0
siemensruggedcom_rugged_operating_system3.2.0 – 3.10.1

Detection & IOCsextracted from sources · hover to see the quote

commandperl ruggedfail.pl <macaddress>
  • Use Nessus plugin ID 58991 to actively check for the CVE-2012-1803 RuggedOS backdoor account.
  • The backdoor password is derived from the device MAC address using the formula: reverse MAC bytes + '0000', convert hex to decimal, modulo 999999929. Monitor for scripted password generation attempts correlated with MAC address enumeration.
  • ICS-CERT confirmed that public exploits no longer work on patched firmware v3.10.1; flag any ROS devices running versions 3.2.x and earlier or unpatched 3.3.x as vulnerable.
  • The Metasploit auxiliary module scanner/telnet/telnet_ruggedcom can be used to validate exposure; detect its use in network traffic as an attacker indicator.
  • ·The factory backdoor account cannot be disabled in affected ROS versions; the only remediation is firmware upgrade to versions 3.10.1, 3.9.3, 3.8.5, or 3.7.9 which remove the account entirely.
  • ·Patched firmware removes the factory account and also removes device information from the standard login banner, which was previously used to derive the MAC-address-based password.
  • ·A related but distinct vulnerability (CVE-2012-2441) also exists in ROS before 3.3, where a factory account password is derived from the MAC address banner — exploitable via SSH or HTTPS rather than Telnet.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.