ICS-CERT Warns That Infrastructure Switches Have Hard-Coded Account Holes

← Back to Stories (view on slashdot.org)

ICS-CERT Warns That Infrastructure Switches Have Hard-Coded Account Holes

Posted by Unknown on Wednesday September 5, 2012 @05:04AM from the password-is-a-good-password-right dept.

Trailrunner7 writes with news of more critical infrastructure not being well secured. From the article: "The Department of Homeland Security is warning users of some of GarrettCom's switches that there is a hard-coded password in a default account on the devices, which are deployed in a number of critical infrastructure industries, that could allow an attacker to take control of them. A researcher at Cylance discovered the hidden account and warned the ICS-CERT...The problem exists in the GarrettCom Magnum MNS-6K Management Software and the company has released an updated version of the application that addresses the vulnerability. GarrettCom's switches are used in a variety of industries, including transportation, utilities and defense. The company issued a new version of the affected software in May, but didn't note that the fix for this vulnerability was included in it. 'A "factory" account intended to only be allowed to log in over a local serial console port exists in certain versions of GarrettCom's MNS-6K and MNS-6K-SECURE software. Cylance has identified an unforseen method whereby a user authenticated as "guest" or "operator" can escalate privileges to the "factory" account,' Cylance said in its advisory."

60 comments

Min score:

Reason:

Sort:

An unforseen method by Anonymous Coward · 2012-09-05 05:06 · Score: 0

They enter the hardcoded password.
1. Re:An unforseen method by Trepidity · 2012-09-05 05:10 · Score: 5, Insightful
  
  Well, yes, but it sounds like the intention was that this method of authentication should only be available via the serial console.
  My guess from the description is that they blocked non-console logins as the 'factory' user, but forgot about the equivalent of 'su', so you can login as another user and then escalate. Sort of like blocking ssh login as root, but having a guest account and a published root password: someone can still ssh as the guest account and then escalate to root.
  
  --
  10 PRINT CHR$(205.5+RND(1)); : GOTO 10
2. Re:An unforseen method by Opportunist · 2012-09-05 06:08 · Score: 2
  
  So what if it "should" be? I don't care what "should" be. My question is not why it exists, my question is why
  a) I don't know about it as the customer
  b) I cannot disable it
  c) it is enabled by default.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
3. Re:An unforseen method by Anonymous Coward · 2012-09-05 06:19 · Score: 0
  
  whoooooah. neckbeard hardass!
4. Re:An unforseen method by Baloroth · 2012-09-05 06:20 · Score: 1
  
  So what if it "should" be? I don't care what "should" be. My question is not why it exists, my question is why a) I don't know about it as the customer b) I cannot disable it c) it is enabled by default.
  a) Because you shouldn't need to
  
  b) and c) are the same: because part of the point is to regain access to the device if a customer screws up the account login. It's meant as a failsafe. Not much of a failsafe if they can just disable it (or if it can be disabled by accident for that matter). No, devices like that shouldn't be used in highly sensitive work, but it is a pretty widespread practice in the industry to have such backdoors.
  
  --
  "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
5. Re:An unforseen method by Trepidity · 2012-09-05 06:36 · Score: 2
  
  If it's correctly implemented, so it really can only be accessed via the serial console, it's also not a huge deal in common applications. If someone has access to the serial console, you're generally hosed, since few networks are designed to be robust against an adversary with physical access: there's all sorts of mischief you can cause if you're physically present in the server room, and can plug devices into the routers or patch into cables at will.
  
  --
  10 PRINT CHR$(205.5+RND(1)); : GOTO 10
6. Re:An unforseen method by Anonymous Coward · 2012-09-05 08:48 · Score: 0
  
  So what if it "should" be? I don't care what "should" be. My question is not why it exists, my question is why
  a) I don't know about it as the customer
  b) I cannot disable it
  c) it is enabled by default.
  a) Because you shouldn't need to
  
  It doesn't work that way. If there is an hardcoded account with a default password, it will get out. Because someone will know, someone will use it, someone will eventually leak the information.
7. Re:An unforseen method by someones · 2012-09-05 09:40 · Score: 1
  
  So what?
  if you rely on security thru obscurity, please, PLEASE, immidiately resign from any work related to the network/system security field.
So.... by Sparticus789 · 2012-09-05 05:11 · Score: 0

So the alert is that if a hacker can obtain the password for a low-privilege account, they can escalate their privileges to a super-user account. If a hacker can get ANY password for your system, then you are doing it wrong in the first place. Whether it is Janitor Bob's login or the CEO, password strength is a necessity. Especially so for network gear as the traffic passed through a switch like this would make for some interesting exploitative attacks on whatever infrastructure they support.
But the important take-away from this is simple, "password" or "12345" or any 1337 derivative of those passwords should not be used for absolutely anything. Passwords which maximize entropy or multi-factor authentication is the best way to go.

--
sudo make me a sandwich
1. Re:So.... by Anonymous Coward · 2012-09-05 05:31 · Score: 0
  
  So what if Jim Bob who is working as an intern engineer on the management systems (who only happens to have access to SNMP & logging related commands) decides he wants to exploit the system?
2. Re:So.... by Sique · 2012-09-05 05:33 · Score: 4, Insightful
  
  Wrong. Completely wrong.
  You are missing the most important aspect.
  There are users with different priviledges for a reason. It is quite possible that a person rightly knows the password for a guest account (for instance for monitoring reasons), but is not entitled any more priviledges.
  If this person then can escalate the guest priviledges to factory, you have a completely different set of problems than password security.
  
  --
  .sig: Sique *sigh*
3. Re:So.... by Anonymous Coward · 2012-09-05 05:34 · Score: 0
  
  This is still an issue regardless of whether the sysop is doing his job right or not because of local privilege escalation.
4. Re:So.... by sjames · 2012-09-05 05:49 · Score: 1
  
  It's not at all unusual in a switch or router to have some people (or role accounts) authorized for monitoring only and others authorized to have full administrative control.
  This flaw effectively removed the difference and silently granted all users the ability to become root.
5. Re:So.... by vlm · 2012-09-05 07:05 · Score: 1
  
  I'm not familiar with the gear that has the "exploit" but I'm assuming its vlan capable, and none of my vlan capable switches have ever been accessible by anyone but the SNMP management console machine and the network admin's desk and a couple other "secure" locations. By design not as simple as plug into an ethernet jack in the conference room and telnet in...
  If this hardware isn't vlan capable I'm not sure what they're thinking WRT the design. Probably some GD software patent on the concept of having a management VLAN. Although I know cisco and netgear switches both have this concept, so at least its widely licensed.
  
  --
  "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
6. Re:So.... by Sparticus789 · 2012-09-05 08:06 · Score: 1
  
  if a hacker can obtain the password for a low-privilege account, they can escalate their privileges to a super-user account.
  RTFC. You are just repeating what I said. If Hacker 1 cannot get into Guest Account 1, then this exploit doesn't MATTER. That can be accomplished with password security, VLAN, physical security, IDS, etc.
  It's like the password reset on Cisco products. If you can gain physical access to a Cisco box, you can decrypt the super-user password and do whatever you want. Or you can factory reset it. That is not an exploit. It is a feature, and can be very useful at times. But it depends on another layer of security, preventing unauthorized physical access to the box. This "exploit" depends on the system already being exploited in the first place.
  
  --
  sudo make me a sandwich
7. Re:So.... by Endovior · 2012-09-05 09:31 · Score: 1
  
  Uh... no, you missed a more important point, there. It's quite crippling if the company can't configure different security levels to actually be, you know, secure... essentially, this vulnerability means that if Janitor Bob has guest access, he can escalate to superuser and walk off with whatever he wants. And since as a company, you want to have most people have limited access and a very few trusted people have full access, this is huge. Sure, it'd be nice if you had everything totally locked down, with the background checks on your janitors as intensive as those on your administrators... but since that's a huge deal of expense, it makes a lot more sense to simply make sure that your janitors don't actually have access to anything sensitive. The fact that this security flaw also means that any of your passwords are gold to hackers is just a side effect.
8. Re:So.... by Sparticus789 · 2012-09-06 01:02 · Score: 1
  
  Janitor Bob also has keys to the building. So therefore Janitor Bob has physical access to these routers. Therefore in Janitor Bob was a nefarious hacker, he would be able to do anything to that box he wanted, given the numerous ways to hack a router when you have physical access.
  
  --
  sudo make me a sandwich
It's a fire sale! by Iniamyen · 2012-09-05 05:17 · Score: 2

Thomas Gabriel warned them! And they ignored him!
WHO? by Anonymous Coward · 2012-09-05 05:17 · Score: 0

Who the heck is GARRETTCOM? Why not go with an industry leader like CISCO, 3COM, D-LINK, Netgear, ETC?
1. Re:WHO? by Shatrat · 2012-09-05 05:19 · Score: 1
  
  Because they make affordable NEBS compliant DC powered switches.
  
  --
  09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
2. Re:WHO? by Shatrat · 2012-09-05 05:21 · Score: 2
  
  PS, D-Link and Netgear? This isn't 'mom's basement' applications, it's telecom and other utilities.
  
  --
  09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
3. Re:WHO? by OAB_X · 2012-09-05 05:48 · Score: 4, Informative
  
  Cisco, D-Link, Netgear, etc. do not make (much) industrial temp (-40 to +80C, very high EMI/static discharge tolerances, etc.) networking equipment.
  Garrettcom was not the only company in the industry to be caught doing the same thing (see: http://it.slashdot.org/story/12/04/25/1456210/backdoor-in-ruggedos-systems-infrastructure-military-systems-vulnerable). Not the latter one has according to the company been patched out in the latest software release.
4. Re:WHO? by Shatrat · 2012-09-05 07:35 · Score: 1
  
  Cisco does make C-temp NEBS compliant switches, they just charge Cisco prices for it. See the ME-3400.
  For I-temp rated stuff I don't know of any off the top of my head, but only because we generally don't deploy active gear in non-environmental enclosures.
  
  --
  09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
5. Re:WHO? by Anonymous Coward · 2012-09-05 22:05 · Score: 0
  
  I'm a controls engineer working in industrial automation and process control. MOXA and Hirschmann are excellent brands for industrial stuff, and in North America Allen-Bradley makes Stratix switches that are pretty decent, although they charge like they are gold plated. Wouldn't dream of using Cisco crap in real industrial environments. This is of course yet another example of how critical infrastructure networks never seem to get the level of scrutiny that they deserve.
That's what you get by kiriath · 2012-09-05 05:30 · Score: 2

For not using Cisco Gear. ...
*ducks*
1. Re:That's what you get by Anonymous Coward · 2012-09-05 05:37 · Score: 0
  
  We're a govt agancy and use only Cisco gear.... which some tinfoil hatters think only comes with govt-approved (and govt-sponsored) backdoors :D
2. Re:That's what you get by Shoten · 2012-09-05 05:47 · Score: 4, Informative
  
  For not using Cisco Gear. ...
  *ducks*
  Cisco gear isn't suitable for most of the environments where this stuff goes. There's a whole world of networking applications that require industrial hardness. No cooling fans or vents, a form factor to fit on DIN rails, and even intrinsically safe (i.e., won't make sparks that would ignite flammable gases) characteristics. Oh, also...tolerance to heat (small substations don't have cooled server rooms, for example, and neither do a lot of facilities in the oil/gas world), hardened ability to resist RF and EM interference, being sealed against dust...the list goes on and on.
  Cisco and the companies you're used to have largely foregone this market, leaving it to companies like RuggedCom, Hirschmann, GarrettCom, and the like. Cisco does have a line of gear that aims at this market, but they just introduced it, the line is relatively small, and they don't have much traction yet. I work in this field, myself, and I like Cisco gear; I'll put it in wherever I can, when doing a design. But for a lot of cases, you simply *can't* use it, at all.
  
  --
  
  For your security, this post has been encrypted with ROT-13, twice.
3. Re:That's what you get by Mister+Whirly · 2012-09-05 06:01 · Score: 1
  
  I would say even if your non industrial hardened switches are throwing sparks, it is time to get some new gear.
  
  --
  "But this one goes to 11!"
4. Re:That's what you get by rdunnell · 2012-09-05 06:14 · Score: 3, Informative
  
  That's not exactly the point. Sure, if a switch is sparking, then it is broken. The point of this gear is that it has been built such that if it breaks, it won't be able to emit dangerous sparks that might do something like cause an explosion in the presence of a buildup of gas or whatever. It still has to be replaced, just like the non-hardened switch, but it is less risky to deploy in an environment where such hazards might be present.
5. Re:That's what you get by schitso · 2012-09-05 06:15 · Score: 4, Informative
  
  There's a difference between "shouldn't spark" and "will never spark, ever". Especially in environments where there is the possibility of a release of explosive gases.
6. Re:That's what you get by Anonymous Coward · 2012-09-05 06:16 · Score: 0
  
  You're making a joke, but it's got more to do with failure modes. If having your power supply fail blows up the factory, that's bad design.
7. Re:That's what you get by mcgrew · 2012-09-05 06:31 · Score: 1
  
  I tried making a router out of ducks once, it didn't work too well.
  
  --
  Free Martian Whores!
8. Re:That's what you get by vlm · 2012-09-05 07:12 · Score: 1
  
  and even intrinsically safe (i.e., won't make sparks that would ignite flammable gases) characteristics.
  OK I'll bite. How does garrettcom do this? I mean at the ISO level 1 electrical/hardware characteristics? I'm guessing its a huge challenge to do PoE that cannot theoretically spark when you yank a current carrying cable out of a jack. Maybe physical lock holds the ethernet plug in and unlocking the plug powers down the PoE faster than you can yank the cable, or some ridiculous arrangement with constant current source and a SCR crowbar ckt if the voltage rises too high aka is arcing? Or they just don't sell PoE, which is probably the simplest solution? But aren't there some of the zillions of copper ethernet standards with what used to be called in the telecom world "simplex current" so even just being non-PoE won't help? Old fashioned FDDI would seem to be the simplest intrinsically safe solution.
  TLDR: curious at a hardware/electrical/EE level how intrinsically safe PoE works.
  
  --
  "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
9. Re:That's what you get by Dishevel · 2012-09-05 08:06 · Score: 1
  
  I have never made a router out of ducks but I did once create a switch out of ducks.
  Worked great for situations where you wanted high bandwidth and could live with really bad latency.
  
  --
  Why is it so hard to only have politicians for a few years, then have them go away?
10. Re:That's what you get by petermgreen · 2012-09-05 09:56 · Score: 1
  
  I am not an intrinsic safety expert but my thoughts:
  Modern ethernet (from 10base-T forward) is AC coupled and the signal levels are pretty small, so they may well be low enough that they can be exposed externally provided appropriate protection is in place (and NO POE of course). I doubt anyone cares about 10base-2 and 10base-5 at this point.
  As for circuits that must not be exposed to the explosive atmosphere I would guess they usually hardwire it through special glands. If it has to go through connectors they would use special (and expensive) sealed and interlocked ones.
  I'd think the biggest problem for equipment in potentially explosive atmospheres would be cooling since enclosures would have to have a gas-tight seal.
  
  --
  note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
A guest account? by m6tt · 2012-09-05 05:31 · Score: 1

God forbid I have someone come over for dinner and they're unable to login to my infrastructure switches and peruse the configs!
1. Re:A guest account? by vlm · 2012-09-05 07:18 · Score: 2
  
  God forbid I have someone come over for dinner and they're unable to login to my infrastructure switches and peruse the configs!
  In years past I've had repeated experiences with Cisco TAC along the lines of "I donno we've never seen anything like that before, mind if we log in and take a look?"
  This is for stuff that takes more than "show tech" or where "show tech" looks so weird they need more data.
  Needless to say this was at an ISP with a hardware budget best expressed in scientific notation, not home user with a $79 smart switch.
  Its not as unlikely as you'd think.
  The funny part is they always reboot and if that doesn't work swap hardware... its just a delaying tactic or to make the customer feel better, as far as I know.
  
  --
  "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
Thanks DHS! by fustakrakich · 2012-09-05 05:38 · Score: 1

Good to see you provide a useful service for a change.
Now, get out of my pants!

--
“He’s not deformed, he’s just drunk!”
1. Re:Thanks DHS! by Anonymous Coward · 2012-09-05 05:52 · Score: 0
  
  I'm not even going to ask why you have a GarrettCom switch in your pants. But hey, whatever gets you through the night.
2. Re:Thanks DHS! by Anonymous Coward · 2012-09-05 06:05 · Score: 0
  
  It's because Cisco switches have fans. And we all know how painful that can be.
3. Re:Thanks DHS! by Anonymous Coward · 2012-09-05 06:08 · Score: 1
  
  And we all know how painful that can be.
  That settle it. I am so NOT going to the Network Admin Happy Hour this Friday.
I want to hire some of those cyborgs you use. by Medievalist · 2012-09-05 05:42 · Score: 2

If a hacker can get ANY password for your system, then you are doing it wrong in the first place.
By "doing it wrong" I assume you meant "employing human beings" since it's been repeatedly proven that normal human employees will trade their passwords for sex, chocolate, or free theatre tickets.
1. Re:I want to hire some of those cyborgs you use. by Opportunist · 2012-09-05 06:14 · Score: 1
  
  Fffft, how expensive. Most people will gladly trade it for the promise that you won't let the sky come down falling on them, i.e. you don't close their WoW accounts.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
2. Re:I want to hire some of those cyborgs you use. by mcgrew · 2012-09-05 08:03 · Score: 3, Funny
  
  The studies I saw that showed that "normal human employees will trade their passwords for sex, chocolate, or free theatre tickets" had a HUGE flaw -- they didn't check to see if the respondants were lying when they gave "their" password. Hell, if someone offered me sex for my password, I'd say "sure, it's swordfish." Which it isn't really, but I'd still get laid.
  
  --
  Free Martian Whores!
GarretCom by Anonymous Coward · 2012-09-05 05:54 · Score: 0

Lots of devices have this issue. It looks like GarrettComm pissed of the wrong person.
Wait a minute... by camperdave · 2012-09-05 05:57 · Score: 2

Wait a minute... Isn't the Department of Homeland Security the one that *wants* backdoor access to everything? After all, you can't put locks on your luggage unless they have a DHS backdoor. Why are they warning us about this? I'm confused. Are we supposed to be rooting for them now?

--
When our name is on the back of your car, we're behind you all the way!
1. Re:Wait a minute... by Anonymous Coward · 2012-09-05 06:04 · Score: 0
  
  You don't get it. They want unlimited access to YOUR stuff. This is somebody ELSE having access to corporate stuff, and we absolutely must protect corporations at all costs.
2. Re:Wait a minute... by Anonymous Coward · 2012-09-05 06:14 · Score: 0
  
  ICS-CERT, US-CERT and the like have been part of DHS since its inception. You're surprised that the executive department responsible for infrastructure, telecommunications and networking security provides guidance and warnings about things that compromise those?
3. Re:Wait a minute... by fa2k · 2012-09-05 06:17 · Score: 1
  
  Wait a minute... Isn't the Department of Homeland Security the one that *wants* backdoor access to everything?
  
  From TFS: "A researcher at Cylance discovered the hidden account and warned the ICS-CERT." If it's out in public, it's of no use to them.
  It would be refreshing to have a similar level of objectivity as in this story the next time a backdoor is found in a Chinese switch..
4. Re:Wait a minute... by Dins · 2012-09-05 06:22 · Score: 1
  
  I don't give a shit about corporations. I do give a shit about the network hardware controlling the local nuclear power plant.
5. Re:Wait a minute... by MickyTheIdiot · 2012-09-05 06:37 · Score: 1
  
  Your congresscritter:
  "I don't give a shit about the local nuclear power plant. I do give a shit about the network hardware controlling corporations."
  You see, one pays much better than the other.
Readme.txt by ThatsNotPudding · 2012-09-05 05:58 · Score: 4, Funny

"Users are also instructed to pencil-in quotation marks around the word 'SECURE' in all of devices' badges and documentation."
Explanation, please. by zooblethorpe · 2012-09-05 06:05 · Score: 2

Are we supposed to be rooting for them now?
That depends -- exactly how do you mean that?
:-P

--
"What in the name of Fats Waller is that?"
"A four-foot prune."
This is progress by Animats · 2012-09-05 06:23 · Score: 3, Insightful

We're making progress on disclosure. A few years ago, companies screamed when somebody found and published information about a hole in their products. Now the disclosures are given wide distribution by the U.S. Government's anti-terrorist agency.
That sort of thing makes a big difference when big purchasing decisions are being made. "Homeland Security says that company's products are insecure" can easily lose a company a big sale.
proprietary software by Anonymous Coward · 2012-09-05 06:36 · Score: 0

You're using proprietary software on an embedded device, and now you're complaining that it has a backdoor that you didn't know about and can't change?
http://xkcd.com/743/
Factory accounts serve a useful purpose by davidwr · 2012-09-05 06:46 · Score: 4, Informative

However, if they can be abused then we have a problem.
I wouldn't necessarily call it a "factory" account, but the well-known way to reset the LOCAL administrator password in a Microsoft Windows Active Directory Domain Account then using other "offline" means has saved more than a few Network Administrators time and possibly their jobs, BUT if such a technique were known to be exploitable remotely, all hell would break loose.
If a box I'm running has a factory-backdoor, I generally have several requirements from the vendor:
* I know it has a backdoor
* I know what physical access, if any, is required to use the backdoor
* I know how to turn it off, or I know that it can't be turned off and accept the risk. Where physical access is required, locking up the device "turns off" the back-door.
* I know how to make it tamper-evident or I know I can't and accept the risk. If physical access is required, a seal across the door leading to the equipment room provided tamper-evidence.

--
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Re:This is corporatism by Anonymous Coward · 2012-09-05 07:30 · Score: 0

Or it could be a bigger fish calling DHS and saying "you really need to draw attention to this horrific security practice by our smaller competitor with an otherwise technically superior device."

I'm not saying these things shouldn't be reported, but access to regulatory authorities is one of the hallmarks of our system.
SCADA default insecurity? by dgharmon · 2012-09-05 12:23 · Score: 1

Why don't they run these SCADA units over a VPN circuit run on embedded hardware?

--
AccountKiller