-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2014.0049
   A vulnerability has been identified in Siemens Ruggedcom WIN products
                               11 April 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Siemens Ruggedcom WIN7000
                      Siemens Ruggedcom WIN7200
                      Siemens Ruggedcom WIN5100
                      Siemens Ruggedcom WIN5200
Operating System:     Network Appliance
Impact/Access:        Access Privileged Data -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2011-3389  
Member content until: Sunday, May 11 2014

OVERVIEW

        A vulnerability has been identified in Siemens Ruggedcom WIN products.


IMPACT

        The vendor has provided the following details regarding this 
        vulnerability:
                
        "An attacker can use the BEAST attack (CVE-2011-3389) against SSL/TLS 
        secured connections when TLS 1.0, SSL 3.0 or below is used with block 
        ciphers. This attack is mitigated in newer browser versions by 
        implementing the 1/n-1 record splitting technique. 
                
        The SSL/TLS secured web interface of the affected products is 
        vulnerable to the BEAST attack and used SSL libraries which were not 
        compatible with 1/n-1 record splitting. Therefore, some newer browser 
        versions with 1/n-1 record splitting enabled could not connect 
        to this web interface. " [1]


MITIGATION

        It is recommended that administrators update the firmware on affected
        devices to correct this issue.


REFERENCES

        [1] SSA-353456: BEAST Attack Vulnerability in Ruggedcom WIN Products
            http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-353456.pdf

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU0dm9hLndAQH1ShLAQJI0A//WFolXzHXsOK9Z5bTQs1jDBy30bZQeNDR
NiS5SauWFaJSjWc35yMiQe1gprTS/pAJgslHbrZ9Smvc1VpYtRi5ra+3tejC/Lte
Mtrlbci99TMShNcPdSG8GeQIQNNJ6vi1CVCfMYl0XUeDBIsUd0H3hDhARaLlMPrN
R8bG4S8niJjgfEH+/MPVnIEtQzFeokEGsJn6mzO3uhh2cyITSWkP83MWfw5XhT7q
NvwO7fmcNQ5AqglVKDvF/uoBh1uPEnbpYEF4sQ6++iORJvOZGYCaaQ3DpX1krpZU
6GNihuhvOJZGnCgGOs2lBfrivVxJTGc4k2AirVy94Eovt4IlZmnCvWFFEFaJFFuE
ZKNvUzb8S4TknMwU0+wgjbE/dJjc8XwXZIWnPS9ow/FYr2q8ulNUxtcxlvwds1jE
xKGqWujvaeI15piW8FEXHfJEJvsddRALEKTgc2LDyNDc1j5Bbs67GuDR5ivZa6KM
e3ZM3ThcdGN5ri8SJ1vqm+xNo9nrxhEfLyVxkmFtsxCy+zmMPcVVhPHa69rYPVDN
XPlQHDjBoAxQnwJYnWZQA1JefuYIj6CmoGLKvLXCck75P3b+9RtOs6x8TjE+fYGX
ysw0SkNNXRbyZX6hd0JXGJz3br+h7GQEHXEp/fvptJTkRBgdNNzothGyIeO/YcKp
sfnOKXkV1Dc=
=yt4O
-----END PGP SIGNATURE-----