Sweden-based industrial data communications company Westermo has released firmware updates for some of its wireless 3G and 4G routers to address several potentially serious vulnerabilities.
Qualys researcher Mandar Jadhav discovered that Westermo’s MRD-305-DIN, MRD-315, MRD-355 and MRD-455 industrial routers, which are used for remote access worldwide in the commercial facilities, critical manufacturing and energy sectors, are exposed to attacks by three vulnerabilities.
While analyzing the firmware present on these devices, Jadhav noticed that it contained hardcoded SSH and HTTPS certificates and their associated private keys. The information allows a man-in-the-middle (MitM) attacker to decrypt traffic, which can include administrator credentials that can be used to access the device with elevated privileges. The flaw is tracked as CVE-2017-5816 and is considered critical by ICS-CERT and high severity by Westermo.
The researcher also discovered hardcoded credentials for an undocumented user account that can be accessed with the username “user” and the password “user.” The vulnerability, tracked as CVE-2017-12709 and rated medium/high severity, allows an attacker to access the device with limited privileges.
Jadhav also noticed that several of the web pages in the Westermo admin interface did not use any cross-site request forgery (CSRF) protections, allowing an attacker to carry out various actions on behalf of an authenticated user.
“The Cross Site Request Forgery vulnerability may lead to unauthorized manipulation of the device if an authenticated user is accessing an infected web site concurrently to the device web management interface (in the same browser but a different tab). The attacker will be able to invoke any command with the same privileges as the authenticated user,” Westermo explained in an advisory.
Qualys has published a simple proof-of-concept (PoC) that exploits the CSRF vulnerability to reboot the system. This security hole is tracked as CVE-2017-12703 and is considered high severity with a CVSS score of 8.8.
The CSRF flaw affects MRD-305-DIN, MRD-315, MRD-355 and MRD-455 devices running a version of the firmware prior to 220.127.116.11. The hardcoded key flaws have been patched in version 18.104.22.168.
This was not the first time researchers had found hardcoded keys in Westermo products. Last year, ICS-CERT revealed that many of the company’s industrial switches had used the same SSL private keys, allowing MitM attackers to intercept and decrypt communications.