The US security agency CISA this week informed organizations that some Westermo Lynx industrial switches are affected by several vulnerabilities, and the researchers who found the flaws said they can be exploited to tamper with a device.
According to CISA’s advisory, Lynx 206-F2G industrial Ethernet switches are affected by eight vulnerabilities, including two high-severity and six medium-severity issues.
Aarón Flecha Menéndez, Iván Alonso Álvarez and Víctor Bello Cuevas of Spain-based cybersecurity firm S21sec have been credited for finding the vulnerabilities.
The researchers told SecurityWeek that several of the security holes are stored cross-site scripting (XSS) bugs that can allow an attacker with non-administrator access to the switch’s web management interface or configuration software to plant malicious code in various places. The malicious code would then get executed when a legitimate user accesses the page where the code has been planted.
They also found code injection and cross-origin resource sharing issues — both of which can affect the correct functioning of the device — and a cross-site request forgery (CSRF) vulnerability that can be leveraged to get a targeted user to carry out various actions on the attacker’s behalf.
“An attacker with remote access to the device could inject malicious code to modify the behavior of the device’s web functionalities, modify the communications managed by the switch or deny access to users,” the researchers told SecurityWeek.
The experts also pointed out that they have found more than a dozen internet-exposed devices that could be vulnerable to remote attacks.
However, they noted that while social engineering techniques may allow attackers to exploit some of the vulnerabilities without authentication, some flaws would not be easy to exploit.
For example, in the case of the CSRF vulnerability, the targeted user needs to be authenticated and there is an anti-CSRF header that can block attack attempts.
Westermo has yet to publish a security advisory for the vulnerabilities. However, the company told CISA that the CSRF flaw has been patched and the remaining issues will be addressed in the future.