An Australian penetration tester has discovered remotely exploitable flaws in switches made by the American companies Red Lion Controls and AutmationDirect that could be exploited even by hackers with low skill levels.
Mark Cross, who works for RiOT Solutions, told iTWire that he had found the flaws - hardcoded SSH and SSL keys and incorrect permissions in the passwords file - while he was experimenting with the firmware which he had downloaded from the company websites.
This hardcoding of keys means that every device of the kind in the world uses the same keys and certificates.
Red Lion Controls and AutomationDirect are both suppliers to the US Department of Homeland Systems. Cross discovered the issues in Red Lion Controls’ Sixnet SLX Managed Industrial Switches and AutomationDirect's STRIDE Managed Ethernet Switches.
{loadposition sam08}He said he was surprised that the firmware was available for download by anyone as most companies that make equipment for critical infrastructure will only make such downloads available to people who have bought their products and have a licence to access the same.
The switches in question are used worldwide in critical infrastructure environments.
Cross said he was aware that it would not be easy to inform the companies of what he had found as he knew they would not receive the news well.
Hence, he approached DHS and co-ordinates the disclosure process with them. From 16 October, when he first found the SSH and SSL flaw and 31 October when he informed the DHS Industrial Control Systems Cyber Emergency Response Team, it took until Thursday US time for the vulnerabilities to be made public as this could happen only once fixes were in place.
However both companies have only released a firmware fix for the SSH and SSL issue. They have refused to release a fix for the incorrect permissions in the password file. As Cross noted in a detailed write-up of his research: "Vendor advised they will not release a patch or CVE for this issue as they believe it is not a vulnerability, but rather a bad security practice."
Cross said he had also found that there was no shadow password file and the password hashes were in the password file itself.
He said the Busybox utility was used on the switches but it had been customised to their own specifications resulting in the weaknesses that he had identified.