Connect with us

Hi, what are you looking for?



Industrial Switches From Several Vendors Affected by Same Vulnerabilities

Industrial switches provided by several vendors are affected by the same vulnerabilities due to the fact that they share firmware made by Taiwan-based industrial networking solutions provider Korenix Technology.

Industrial switches provided by several vendors are affected by the same vulnerabilities due to the fact that they share firmware made by Taiwan-based industrial networking solutions provider Korenix Technology.

The vulnerabilities were discovered by Austria-based cybersecurity consultancy SEC Consult. The Atos-owned company has been trying to get the security holes fixed since mid-April 2020, but it took nearly one year for Korenix to release patches.

Korenix JetNet switch vulnerability The firmware developed by Korenix for its JetNet industrial switches is also used by Westermo for PMI-110-F2G and Pepperl+Fuchs for Comtrol RocketLinx industrial switches. Both Korenix and Westermo are owned by Beijer Electronics Group. SEC Consult says devices made by these companies share a “partially similar firmware base” and they are affected by the same vulnerabilities.

SEC Consult discovered five types of vulnerabilities that have been assigned critical and high severity ratings. These include unauthenticated device administration, backdoor account, cross-site request forgery (CSRF), authenticated command injection, and TFTP file read/write issues.

An attacker with network access to the targeted device can make unauthorized changes to its configuration, cause it to enter a DoS condition, and obtain sensitive information. The vulnerabilities can be exploited to take complete control of a device.

Impacted devices are used in the heavy industry, transportation, automation, power and energy, surveillance, and other sectors. According to Thomas Weber, the SEC Consult researcher who discovered the vulnerabilities, the switches are used in key positions within the network and an attacker could exploit the vulnerabilities to cut off the network connection to attached systems.

Weber said he only saw a handful of impacted devices being exposed to the internet. The CSRF flaws can in theory be used to launch attacks directly from the internet, but the researcher pointed out that CSRF protections implemented in web browsers can make exploitation more difficult.

Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference and SecurityWeek’s Security Summits virtual event series

Pepperl+Fuchs did release some patches and workarounds last year after being notified about the vulnerabilities, but the company’s response was limited due to the fact that the flaws existed in the Korenix firmware.

Advertisement. Scroll to continue reading.

SEC Consult’s initial attempts to get Korenix to patch the vulnerabilities failed, until late November 2020, when the company had been preparing to make its findings public. Beijer representatives got in touch with SEC Consult after being contacted by SecurityWeek for comment, and the cybersecurity firm decided to postpone its advisory to give the vendor more time to release patches. Communications improved significantly after Beijer took over the disclosure process, SEC Consult said.

In addition to releasing firmware updates that patch the vulnerabilities, Korenix has shared some recommendations for preventing potential attacks, including restricting access to devices, implementing security best practices, and configuring firewalls to protect the switches against attacks originating outside the network.

Beijer Electronics told SecurityWeek that it has worked with SEC Consult regarding the timing of the advisory being made public, but the company is unhappy with the fact that the advisory contains proof-of-concept (PoC) code and other information that could be leveraged in attacks against customers’ systems.

Related: Rockwell Industrial Switches Affected by More Vulnerabilities in Cisco Software

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn about active threats targeting common cloud deployments and what security teams can do to mitigate them.


Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.