Researchers have identified several vulnerabilities in Magnum 6K and Magnum 10K managed ethernet switches produced by Belden GarrettCom. The vendor has released firmware updates to address the security holes.
GarrettCom Magnum is a line of managed switches designed for harsh industrial environments. The devices are deployed in the United States in critical infrastructure sectors such as defense industrial base, critical manufacturing, water, energy, and transportation.
According to an advisory published by ICS-CERT, Qualys vulnerability research engineer Ashish Kamble and researcher Eireann Leverett have identified multiple issues affecting Magnum 6K and 10K products running firmware versions prior to 4.5.6. An advisory published by GarrettCom reveals that the vulnerabilities impact the Magnum 10KT, 10KG, 6K32, 6K25, 6K16, 6K8, 6KL, 6KM and 6KQ product lines.
Experts found that the firmware installed on vulnerable switches contains a hardcoded password linked to a privileged account used for maintenance and support (CVE-2015-3959).
Kamble says an attacker can use the password to access the switch, and execute arbitrary commands or shut down the device. The researcher says he has identified 17 Magnum switches connected to the Internet using the Shodan search engine. These devices are still running vulnerable versions of the firmware.
GarrettCom noted that the account for the privileged user is not actually enabled in the operating switch, but agrees that the presence of the password in the firmware is “inappropriate.”
Researchers discovered that the firmware also contains hardcoded RSA private keys and certificate files (CVE-2015-3960).
“An attacker having access to these certificates and keys could not only decrypt the HTTPS secure traffic but also log in via SSH without a username/password to any device running the same version of the firmware,” Kamble said in a blog post.
The device’s web server is plagued by denial-of-service (DoS) and cross-site scripting (XSS) vulnerabilities.
The DoS flaw (CVE-2015-3961) can be exploited by issuing a certain form of URL against the web server. This triggers a memory corruption, which can cause the switch to reboot. The XSS vulnerabilities (CVE-2015-3942) exist due to improper sanitization of user input. An unauthenticated attacker can leverage the flaws to execute arbitrary code.
GarrettCom has addressed the security holes with the release of version 4.5.6 of the firmware. The company advises customers to update their installations as soon as possible.