Advisory: Red Lion Controls & AutomationDirect Industrial Ethernet Switch Vulnerabilities (CVE-2017-9335)

Brisbane based RIoT Solutions recently identified vulnerabilities in Red Lion Switches commonly deployed worldwide in critical infrastructure environments. As a result of this discovery, the US Dept of Homeland Security (DHS) has issued a world-wide advisory https://ics-cert.us-cert.gov/advisories/ICSA-17-054-02.

The vulnerabilities were identified by security consultant Mark Cross in two Red Lion products:

The industrial Ethernet switches are commonly deployed worldwide in critical infrastructure environments and were identified to Use Hard-coded Cryptographic Keys (CVE-2017-9335 | CWE-321) as well as Incorrect Permissions Assignment for a Critical Resource.

The industrial Ethernet switches were found to have hard-coded SSH and SSL cryptographic keys implemented, resulting in DHS allocating the highest criticality score to this vulnerability. As there is no functionality available to randomise the keys, or capability for a user to re-generate keys, identical hard-coded SSH and SSL keys are in use by all products using a firmware version prior to 5.3.174.

What this means is basically every device worldwide uses the exact same certificates and keys, meaning a malicious actor could potentially intercept and decrypt secure communications.

The Switches were also found to have weak file permissions applied to the passwd file.  The system file which stores username credentials and hashed passwords has incorrect and world-readable permissions assigned.  This could allow an attacker who has physical access to the switches or access to the manufacturer’s firmware to obtain the credentials and perform brute force attacks against the password hashes. The switches do not utilise password shadowing, resulting in an insecure method being implemented for storing password hashes.

Vulnerabilities Summary:

The following information is a summary of the vulnerabilities identified by RIoT Solutions in relation to Red Lion Controls’ Sixnet SLX Managed Industrial Switches and AutomationDirect’s STRIDE Managed Ethernet Switches.

Device Information:

Product: Red Lion Controls Sixnet SLX Managed Industrial Switches

URL: http://www.redlion.net/products/industrial-networking/ethernet-solutions/managed-ethernet-switches/sixnet-slx-managed-switches

Version: Firmware version 5.0.196 and prior

Model/s: SL and SLX series, EK/EF series, ET MIL-rated switches, ET OEM (board-level) switches

 

Product: AutomationDirect STRIDE Managed Ethernet Switches

URL: https://www.automationdirect.com/adc/Overview/Catalog/Communications/Industrial_Ethernet_Switches/Managed

Version: Firmware 5.0.190

Vendor:  AutomationDirect

Model/s: SE-SW5M, SE-SW5M-2SC, SE-SW5M-2ST, SE-SW8M, SE-SW8M-2SC, SE-SW8M-2ST, SE-SW8MG-4P, SE-SW10MG-2P, SE-SW16M

 

Use of Hard-coded Cryptographic Keys (CVE-2017-9335 | CVSS 10)

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9335

Vulnerable versions of Red Lion Control’s Sixnet SLX Managed Industrial Switches and AutomationDirect’s STRIDE Managed Ethernet Switches were found to have hard-coded coded Secure Shell (SSH) and Secure Sockets Layer (SSL) cryptographic keys implemented.  As there is no functionality available to randomise the keys, or capability for a user to re-generate keys, identical hard-coded Secure Shell (SSH) and Secure Sockets Layer (SSL) keys are in use by all products using a firmware version prior to 5.3.174.  A malicious actor could disrupt, intercept, and compromise systems which use the hard-coded keys for secure communications.  CVE-2017-9335 has been assigned to the Use of Hard-Coded Cryptographic Key’s vulnerability, with a CVSS v3 base score of 10 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) being assigned.

Incorrect Permission Assignment for a Critical Resource

Vulnerable versions of Red Lion Control’s Sixnet SLX Managed Industrial Switches and AutomationDirect’s STRIDE Managed Ethernet Switches were found to have weak file permissions applied to the passwd file.  The system file which stores username credentials and hashed passwords was identified as having incorrect and world-readable permissions assigned.  This vulnerability could allow an attacker who has physical access to the switches, or access to the manufacturer’s firmware, to obtain the credentials and perform brute force attacks against the password hashes.  The research also identified that the switches do not utilise password shadowing, resulting in an insecure method being implemented for storing password hashes.

It is important to note that Red Lion Controls has NOT addressed the Incorrect Permissions Assignment for Critical Resource vulnerability.

 

Advisory:

RIoT Solutions Pty Ltd recommends that users of the Red Lion Controls’ Sixnet SLX Managed Industrial Switches and/or AutomationDirect’s STRIDE Managed Ethernet Switches upgrade to SLX firmware version 5.3.174 once appropriate testing and change control measures have been undertaken.

Important note: Neither Red Lion Controls or AutomationDirect provide MD5 or other checksums for downloadable files.  As such, it is difficult to verify the authenticity of file versions downloaded from the Internet, and appropriate precautions must be taken prior to updating devices and associated software.

Red Lion Controls’ updated firmware release is available at the following location:

http://www.redlion.net/ethernet-switches-software-firmware

AutomationDirect’s updated firmware release is available at the following location:

http://support.automationdirect.com/firmware/binaries.html

In relation to the Incorrect Permission Assignment for a Critical Resource vulnerability, it is recommended that users of the affected products contact the vendor Red Lion Controls or AutomationDirect should the unmitigated risk be identified as a threat to their infrastructure.

For further detailed technical information please see http://www.mogozobo.com/?p=3280.

Leave a Reply

Your email address will not be published. Required fields are marked *