Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Bug Security IT

ICS-CERT Warns That Infrastructure Switches Have Hard-Coded Account Holes 60

Posted by Unknown Lamer from the password-is-a-good-password-right dept.
Trailrunner7 writes with news of more critical infrastructure not being well secured. From the article: "The Department of Homeland Security is warning users of some of GarrettCom's switches that there is a hard-coded password in a default account on the devices, which are deployed in a number of critical infrastructure industries, that could allow an attacker to take control of them. A researcher at Cylance discovered the hidden account and warned the ICS-CERT...The problem exists in the GarrettCom Magnum MNS-6K Management Software and the company has released an updated version of the application that addresses the vulnerability. GarrettCom's switches are used in a variety of industries, including transportation, utilities and defense. The company issued a new version of the affected software in May, but didn't note that the fix for this vulnerability was included in it. 'A "factory" account intended to only be allowed to log in over a local serial console port exists in certain versions of GarrettCom's MNS-6K and MNS-6K-SECURE software. Cylance has identified an unforseen method whereby a user authenticated as "guest" or "operator" can escalate privileges to the "factory" account,' Cylance said in its advisory."
This discussion has been archived. No new comments can be posted.

ICS-CERT Warns That Infrastructure Switches Have Hard-Coded Account Holes More

ICS-CERT Warns That Infrastructure Switches Have Hard-Coded Account Holes

Comments Filter:

  • Re:An unforseen method (Score:5, Insightful)

    by Trepidity ( 597 ) <delirium-slashdot@@@hackish...org> on Wednesday September 05, 2012 @01:10PM (#41236555)

    Well, yes, but it sounds like the intention was that this method of authentication should only be available via the serial console.

    My guess from the description is that they blocked non-console logins as the 'factory' user, but forgot about the equivalent of 'su', so you can login as another user and then escalate. Sort of like blocking ssh login as root, but having a guest account and a published root password: someone can still ssh as the guest account and then escalate to root.

  • Re:So.... (Score:5, Insightful)

    by Sique ( 173459 ) on Wednesday September 05, 2012 @01:33PM (#41236887) Homepage

    Wrong. Completely wrong.

    You are missing the most important aspect.

    There are users with different priviledges for a reason. It is quite possible that a person rightly knows the password for a guest account (for instance for monitoring reasons), but is not entitled any more priviledges.
    If this person then can escalate the guest priviledges to factory, you have a completely different set of problems than password security.

  • This is progress (Score:4, Insightful)

    by Animats ( 122034 ) on Wednesday September 05, 2012 @02:23PM (#41237515) Homepage

    We're making progress on disclosure. A few years ago, companies screamed when somebody found and published information about a hole in their products. Now the disclosures are given wide distribution by the U.S. Government's anti-terrorist agency.

    That sort of thing makes a big difference when big purchasing decisions are being made. "Homeland Security says that company's products are insecure" can easily lose a company a big sale.

Slashdot Top Deals

"Protozoa are small, and bacteria are small, but viruses are smaller than the both put together."

Close