ICS-CERT Warns That Infrastructure Switches Have Hard-Coded Account Holes

Trailrunner7 writes with news of more critical infrastructure not being well secured. From the article: "The Department of Homeland Security is warning users of some of GarrettCom's switches that there is a hard-coded password in a default account on the devices, which are deployed in a number of critical infrastructure industries, that could allow an attacker to take control of them. A researcher at Cylance discovered the hidden account and warned the ICS-CERT...The problem exists in the GarrettCom Magnum MNS-6K Management Software and the company has released an updated version of the application that addresses the vulnerability. GarrettCom's switches are used in a variety of industries, including transportation, utilities and defense. The company issued a new version of the affected software in May, but didn't note that the fix for this vulnerability was included in it. 'A "factory" account intended to only be allowed to log in over a local serial console port exists in certain versions of GarrettCom's MNS-6K and MNS-6K-SECURE software. Cylance has identified an unforseen method whereby a user authenticated as "guest" or "operator" can escalate privileges to the "factory" account,' Cylance said in its advisory."

Re:That's what you get

[Shoten]

For not using Cisco Gear. ...

*ducks*

Cisco gear isn't suitable for most of the environments where this stuff goes. There's a whole world of networking applications that require industrial hardness. No cooling fans or vents, a form factor to fit on DIN rails, and even intrinsically safe (i.e., won't make sparks that would ignite flammable gases) characteristics. Oh, also...tolerance to heat (small substations don't have cooled server rooms, for example, and neither do a lot of facilities in the oil/gas world), hardened ability to resist RF and EM interference, being sealed against dust...the list goes on and on.

Cisco and the companies you're used to have largely foregone this market, leaving it to companies like RuggedCom, Hirschmann, GarrettCom, and the like. Cisco does have a line of gear that aims at this market, but they just introduced it, the line is relatively small, and they don't have much traction yet. I work in this field, myself, and I like Cisco gear; I'll put it in wherever I can, when doing a design. But for a lot of cases, you simply *can't* use it, at all.

Re:WHO?

[OAB_X]

Cisco, D-Link, Netgear, etc. do not make (much) industrial temp (-40 to +80C, very high EMI/static discharge tolerances, etc.) networking equipment.

Garrettcom was not the only company in the industry to be caught doing the same thing (see: http://it.slashdot.org/story/12/04/25/1456210/backdoor-in-ruggedos-systems-infrastructure-military-systems-vulnerable). Not the latter one has according to the company been patched out in the latest software release.

Re:That's what you get

[rdunnell]

That's not exactly the point. Sure, if a switch is sparking, then it is broken. The point of this gear is that it has been built such that if it breaks, it won't be able to emit dangerous sparks that might do something like cause an explosion in the presence of a buildup of gas or whatever. It still has to be replaced, just like the non-hardened switch, but it is less risky to deploy in an environment where such hazards might be present.

Re:That's what you get

[schitso]

There's a difference between "shouldn't spark" and "will never spark, ever". Especially in environments where there is the possibility of a release of explosive gases.

Factory accounts serve a useful purpose

[davidwr]

However, if they can be abused then we have a problem.

I wouldn't necessarily call it a "factory" account, but the well-known way to reset the LOCAL administrator password in a Microsoft Windows Active Directory Domain Account then using other "offline" means has saved more than a few Network Administrators time and possibly their jobs, BUT if such a technique were known to be exploitable remotely, all hell would break loose.

If a box I'm running has a factory-backdoor, I generally have several requirements from the vendor:
* I know it has a backdoor
* I know what physical access, if any, is required to use the backdoor
* I know how to turn it off, or I know that it can't be turned off and accept the risk. Where physical access is required, locking up the device "turns off" the back-door.
* I know how to make it tamper-evident or I know I can't and accept the risk. If physical access is required, a seal across the door leading to the equipment room provided tamper-evidence.