Slashdot Mirror

← Back to Stories (view on slashdot.org)

ICS-CERT Warns That Infrastructure Switches Have Hard-Coded Account Holes

Posted by Unknown on from the password-is-a-good-password-right dept.

Trailrunner7 writes with news of more critical infrastructure not being well secured. From the article: "The Department of Homeland Security is warning users of some of GarrettCom's switches that there is a hard-coded password in a default account on the devices, which are deployed in a number of critical infrastructure industries, that could allow an attacker to take control of them. A researcher at Cylance discovered the hidden account and warned the ICS-CERT...The problem exists in the GarrettCom Magnum MNS-6K Management Software and the company has released an updated version of the application that addresses the vulnerability. GarrettCom's switches are used in a variety of industries, including transportation, utilities and defense. The company issued a new version of the affected software in May, but didn't note that the fix for this vulnerability was included in it. 'A "factory" account intended to only be allowed to log in over a local serial console port exists in certain versions of GarrettCom's MNS-6K and MNS-6K-SECURE software. Cylance has identified an unforseen method whereby a user authenticated as "guest" or "operator" can escalate privileges to the "factory" account,' Cylance said in its advisory."

19 of 60 comments (clear)

  1. Re:An unforseen method by Trepidity · · Score: 5, Insightful

    Well, yes, but it sounds like the intention was that this method of authentication should only be available via the serial console.

    My guess from the description is that they blocked non-console logins as the 'factory' user, but forgot about the equivalent of 'su', so you can login as another user and then escalate. Sort of like blocking ssh login as root, but having a guest account and a published root password: someone can still ssh as the guest account and then escalate to root.

    --
    10 PRINT CHR$(205.5+RND(1)); : GOTO 10
  2. It's a fire sale! by Iniamyen · · Score: 2

    Thomas Gabriel warned them! And they ignored him!

  3. Re:WHO? by Shatrat · · Score: 2

    PS, D-Link and Netgear? This isn't 'mom's basement' applications, it's telecom and other utilities.

    --
    09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
  4. That's what you get by kiriath · · Score: 2

    For not using Cisco Gear. ...

    *ducks*

    1. Re:That's what you get by Shoten · · Score: 4, Informative

      For not using Cisco Gear. ...

      *ducks*

      Cisco gear isn't suitable for most of the environments where this stuff goes. There's a whole world of networking applications that require industrial hardness. No cooling fans or vents, a form factor to fit on DIN rails, and even intrinsically safe (i.e., won't make sparks that would ignite flammable gases) characteristics. Oh, also...tolerance to heat (small substations don't have cooled server rooms, for example, and neither do a lot of facilities in the oil/gas world), hardened ability to resist RF and EM interference, being sealed against dust...the list goes on and on.

      Cisco and the companies you're used to have largely foregone this market, leaving it to companies like RuggedCom, Hirschmann, GarrettCom, and the like. Cisco does have a line of gear that aims at this market, but they just introduced it, the line is relatively small, and they don't have much traction yet. I work in this field, myself, and I like Cisco gear; I'll put it in wherever I can, when doing a design. But for a lot of cases, you simply *can't* use it, at all.

      --

      For your security, this post has been encrypted with ROT-13, twice.
    2. Re:That's what you get by rdunnell · · Score: 3, Informative

      That's not exactly the point. Sure, if a switch is sparking, then it is broken. The point of this gear is that it has been built such that if it breaks, it won't be able to emit dangerous sparks that might do something like cause an explosion in the presence of a buildup of gas or whatever. It still has to be replaced, just like the non-hardened switch, but it is less risky to deploy in an environment where such hazards might be present.

    3. Re:That's what you get by schitso · · Score: 4, Informative

      There's a difference between "shouldn't spark" and "will never spark, ever". Especially in environments where there is the possibility of a release of explosive gases.

  5. Re:So.... by Sique · · Score: 4, Insightful

    Wrong. Completely wrong.

    You are missing the most important aspect.

    There are users with different priviledges for a reason. It is quite possible that a person rightly knows the password for a guest account (for instance for monitoring reasons), but is not entitled any more priviledges.
    If this person then can escalate the guest priviledges to factory, you have a completely different set of problems than password security.

    --
    .sig: Sique *sigh*
  6. I want to hire some of those cyborgs you use. by Medievalist · · Score: 2

    If a hacker can get ANY password for your system, then you are doing it wrong in the first place.

    By "doing it wrong" I assume you meant "employing human beings" since it's been repeatedly proven that normal human employees will trade their passwords for sex, chocolate, or free theatre tickets.

    1. Re:I want to hire some of those cyborgs you use. by mcgrew · · Score: 3, Funny

      The studies I saw that showed that "normal human employees will trade their passwords for sex, chocolate, or free theatre tickets" had a HUGE flaw -- they didn't check to see if the respondants were lying when they gave "their" password. Hell, if someone offered me sex for my password, I'd say "sure, it's swordfish." Which it isn't really, but I'd still get laid.

      --
      Free Martian Whores!
  7. Re:WHO? by OAB_X · · Score: 4, Informative

    Cisco, D-Link, Netgear, etc. do not make (much) industrial temp (-40 to +80C, very high EMI/static discharge tolerances, etc.) networking equipment.

    Garrettcom was not the only company in the industry to be caught doing the same thing (see: http://it.slashdot.org/story/12/04/25/1456210/backdoor-in-ruggedos-systems-infrastructure-military-systems-vulnerable). Not the latter one has according to the company been patched out in the latest software release.

  8. Wait a minute... by camperdave · · Score: 2

    Wait a minute... Isn't the Department of Homeland Security the one that *wants* backdoor access to everything? After all, you can't put locks on your luggage unless they have a DHS backdoor. Why are they warning us about this? I'm confused. Are we supposed to be rooting for them now?

    --
    When our name is on the back of your car, we're behind you all the way!
  9. Readme.txt by ThatsNotPudding · · Score: 4, Funny

    "Users are also instructed to pencil-in quotation marks around the word 'SECURE' in all of devices' badges and documentation."

  10. Explanation, please. by zooblethorpe · · Score: 2

    Are we supposed to be rooting for them now?

    That depends -- exactly how do you mean that?

    :-P

    --
    "What in the name of Fats Waller is that?"
    "A four-foot prune."
  11. Re:An unforseen method by Opportunist · · Score: 2

    So what if it "should" be? I don't care what "should" be. My question is not why it exists, my question is why
    a) I don't know about it as the customer
    b) I cannot disable it
    c) it is enabled by default.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  12. This is progress by Animats · · Score: 3, Insightful

    We're making progress on disclosure. A few years ago, companies screamed when somebody found and published information about a hole in their products. Now the disclosures are given wide distribution by the U.S. Government's anti-terrorist agency.

    That sort of thing makes a big difference when big purchasing decisions are being made. "Homeland Security says that company's products are insecure" can easily lose a company a big sale.

  13. Re:An unforseen method by Trepidity · · Score: 2

    If it's correctly implemented, so it really can only be accessed via the serial console, it's also not a huge deal in common applications. If someone has access to the serial console, you're generally hosed, since few networks are designed to be robust against an adversary with physical access: there's all sorts of mischief you can cause if you're physically present in the server room, and can plug devices into the routers or patch into cables at will.

    --
    10 PRINT CHR$(205.5+RND(1)); : GOTO 10
  14. Factory accounts serve a useful purpose by davidwr · · Score: 4, Informative

    However, if they can be abused then we have a problem.

    I wouldn't necessarily call it a "factory" account, but the well-known way to reset the LOCAL administrator password in a Microsoft Windows Active Directory Domain Account then using other "offline" means has saved more than a few Network Administrators time and possibly their jobs, BUT if such a technique were known to be exploitable remotely, all hell would break loose.

    If a box I'm running has a factory-backdoor, I generally have several requirements from the vendor:
    * I know it has a backdoor
    * I know what physical access, if any, is required to use the backdoor
    * I know how to turn it off, or I know that it can't be turned off and accept the risk. Where physical access is required, locking up the device "turns off" the back-door.
    * I know how to make it tamper-evident or I know I can't and accept the risk. If physical access is required, a seal across the door leading to the equipment room provided tamper-evidence.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  15. Re:A guest account? by vlm · · Score: 2

    God forbid I have someone come over for dinner and they're unable to login to my infrastructure switches and peruse the configs!

    In years past I've had repeated experiences with Cisco TAC along the lines of "I donno we've never seen anything like that before, mind if we log in and take a look?"

    This is for stuff that takes more than "show tech" or where "show tech" looks so weird they need more data.

    Needless to say this was at an ISP with a hardware budget best expressed in scientific notation, not home user with a $79 smart switch.

    Its not as unlikely as you'd think.

    The funny part is they always reboot and if that doesn't work swap hardware... its just a delaying tactic or to make the customer feel better, as far as I know.

    --
    "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger