Slashdot Mirror
ICS-CERT Warns That Infrastructure Switches Have Hard-Coded Account Holes
Trailrunner7 writes with news of more critical infrastructure not being well secured. From the article: "The Department of Homeland Security is warning users of some of GarrettCom's switches that there is a hard-coded password in a default account on the devices, which are deployed in a number of critical infrastructure industries, that could allow an attacker to take control of them. A researcher at Cylance discovered the hidden account and warned the ICS-CERT...The problem exists in the GarrettCom Magnum MNS-6K Management Software and the company has released an updated version of the application that addresses the vulnerability. GarrettCom's switches are used in a variety of industries, including transportation, utilities and defense. The company issued a new version of the affected software in May, but didn't note that the fix for this vulnerability was included in it. 'A "factory" account intended to only be allowed to log in over a local serial console port exists in certain versions of GarrettCom's MNS-6K and MNS-6K-SECURE software. Cylance has identified an unforseen method whereby a user authenticated as "guest" or "operator" can escalate privileges to the "factory" account,' Cylance said in its advisory."
Well, yes, but it sounds like the intention was that this method of authentication should only be available via the serial console.
My guess from the description is that they blocked non-console logins as the 'factory' user, but forgot about the equivalent of 'su', so you can login as another user and then escalate. Sort of like blocking ssh login as root, but having a guest account and a published root password: someone can still ssh as the guest account and then escalate to root.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Thomas Gabriel warned them! And they ignored him!
Because they make affordable NEBS compliant DC powered switches.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
PS, D-Link and Netgear? This isn't 'mom's basement' applications, it's telecom and other utilities.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
For not using Cisco Gear. ...
*ducks*
God forbid I have someone come over for dinner and they're unable to login to my infrastructure switches and peruse the configs!
Wrong. Completely wrong.
You are missing the most important aspect.
There are users with different priviledges for a reason. It is quite possible that a person rightly knows the password for a guest account (for instance for monitoring reasons), but is not entitled any more priviledges.
If this person then can escalate the guest priviledges to factory, you have a completely different set of problems than password security.
Good to see you provide a useful service for a change.
Now, get out of my pants!
“He’s not deformed, he’s just drunk!”
By "doing it wrong" I assume you meant "employing human beings" since it's been repeatedly proven that normal human employees will trade their passwords for sex, chocolate, or free theatre tickets.
Cisco, D-Link, Netgear, etc. do not make (much) industrial temp (-40 to +80C, very high EMI/static discharge tolerances, etc.) networking equipment.
Garrettcom was not the only company in the industry to be caught doing the same thing (see: http://it.slashdot.org/story/12/04/25/1456210/backdoor-in-ruggedos-systems-infrastructure-military-systems-vulnerable). Not the latter one has according to the company been patched out in the latest software release.
It's not at all unusual in a switch or router to have some people (or role accounts) authorized for monitoring only and others authorized to have full administrative control.
This flaw effectively removed the difference and silently granted all users the ability to become root.
Wait a minute... Isn't the Department of Homeland Security the one that *wants* backdoor access to everything? After all, you can't put locks on your luggage unless they have a DHS backdoor. Why are they warning us about this? I'm confused. Are we supposed to be rooting for them now?
When our name is on the back of your car, we're behind you all the way!
"Users are also instructed to pencil-in quotation marks around the word 'SECURE' in all of devices' badges and documentation."
Are we supposed to be rooting for them now?
That depends -- exactly how do you mean that?
:-P
"What in the name of Fats Waller is that?"
"A four-foot prune."
So what if it "should" be? I don't care what "should" be. My question is not why it exists, my question is why
a) I don't know about it as the customer
b) I cannot disable it
c) it is enabled by default.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
So what if it "should" be? I don't care what "should" be. My question is not why it exists, my question is why a) I don't know about it as the customer b) I cannot disable it c) it is enabled by default.
a) Because you shouldn't need to
b) and c) are the same: because part of the point is to regain access to the device if a customer screws up the account login. It's meant as a failsafe. Not much of a failsafe if they can just disable it (or if it can be disabled by accident for that matter). No, devices like that shouldn't be used in highly sensitive work, but it is a pretty widespread practice in the industry to have such backdoors.
"None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
We're making progress on disclosure. A few years ago, companies screamed when somebody found and published information about a hole in their products. Now the disclosures are given wide distribution by the U.S. Government's anti-terrorist agency.
That sort of thing makes a big difference when big purchasing decisions are being made. "Homeland Security says that company's products are insecure" can easily lose a company a big sale.
If it's correctly implemented, so it really can only be accessed via the serial console, it's also not a huge deal in common applications. If someone has access to the serial console, you're generally hosed, since few networks are designed to be robust against an adversary with physical access: there's all sorts of mischief you can cause if you're physically present in the server room, and can plug devices into the routers or patch into cables at will.
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
However, if they can be abused then we have a problem.
I wouldn't necessarily call it a "factory" account, but the well-known way to reset the LOCAL administrator password in a Microsoft Windows Active Directory Domain Account then using other "offline" means has saved more than a few Network Administrators time and possibly their jobs, BUT if such a technique were known to be exploitable remotely, all hell would break loose.
If a box I'm running has a factory-backdoor, I generally have several requirements from the vendor:
* I know it has a backdoor
* I know what physical access, if any, is required to use the backdoor
* I know how to turn it off, or I know that it can't be turned off and accept the risk. Where physical access is required, locking up the device "turns off" the back-door.
* I know how to make it tamper-evident or I know I can't and accept the risk. If physical access is required, a seal across the door leading to the equipment room provided tamper-evidence.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I'm not familiar with the gear that has the "exploit" but I'm assuming its vlan capable, and none of my vlan capable switches have ever been accessible by anyone but the SNMP management console machine and the network admin's desk and a couple other "secure" locations. By design not as simple as plug into an ethernet jack in the conference room and telnet in...
If this hardware isn't vlan capable I'm not sure what they're thinking WRT the design. Probably some GD software patent on the concept of having a management VLAN. Although I know cisco and netgear switches both have this concept, so at least its widely licensed.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
Cisco does make C-temp NEBS compliant switches, they just charge Cisco prices for it. See the ME-3400.
For I-temp rated stuff I don't know of any off the top of my head, but only because we generally don't deploy active gear in non-environmental enclosures.
09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
if a hacker can obtain the password for a low-privilege account, they can escalate their privileges to a super-user account.
RTFC. You are just repeating what I said. If Hacker 1 cannot get into Guest Account 1, then this exploit doesn't MATTER. That can be accomplished with password security, VLAN, physical security, IDS, etc.
It's like the password reset on Cisco products. If you can gain physical access to a Cisco box, you can decrypt the super-user password and do whatever you want. Or you can factory reset it. That is not an exploit. It is a feature, and can be very useful at times. But it depends on another layer of security, preventing unauthorized physical access to the box. This "exploit" depends on the system already being exploited in the first place.
sudo make me a sandwich
Uh... no, you missed a more important point, there. It's quite crippling if the company can't configure different security levels to actually be, you know, secure... essentially, this vulnerability means that if Janitor Bob has guest access, he can escalate to superuser and walk off with whatever he wants. And since as a company, you want to have most people have limited access and a very few trusted people have full access, this is huge. Sure, it'd be nice if you had everything totally locked down, with the background checks on your janitors as intensive as those on your administrators... but since that's a huge deal of expense, it makes a lot more sense to simply make sure that your janitors don't actually have access to anything sensitive. The fact that this security flaw also means that any of your passwords are gold to hackers is just a side effect.
So what?
if you rely on security thru obscurity, please, PLEASE, immidiately resign from any work related to the network/system security field.
Why don't they run these SCADA units over a VPN circuit run on embedded hardware?
AccountKiller
Janitor Bob also has keys to the building. So therefore Janitor Bob has physical access to these routers. Therefore in Janitor Bob was a nefarious hacker, he would be able to do anything to that box he wanted, given the numerous ways to hack a router when you have physical access.
sudo make me a sandwich