Forgot your password?
typodupeerror
Bug Security IT

ICS-CERT Warns That Infrastructure Switches Have Hard-Coded Account Holes 60

Posted by Unknown Lamer
from the password-is-a-good-password-right dept.
Trailrunner7 writes with news of more critical infrastructure not being well secured. From the article: "The Department of Homeland Security is warning users of some of GarrettCom's switches that there is a hard-coded password in a default account on the devices, which are deployed in a number of critical infrastructure industries, that could allow an attacker to take control of them. A researcher at Cylance discovered the hidden account and warned the ICS-CERT...The problem exists in the GarrettCom Magnum MNS-6K Management Software and the company has released an updated version of the application that addresses the vulnerability. GarrettCom's switches are used in a variety of industries, including transportation, utilities and defense. The company issued a new version of the affected software in May, but didn't note that the fix for this vulnerability was included in it. 'A "factory" account intended to only be allowed to log in over a local serial console port exists in certain versions of GarrettCom's MNS-6K and MNS-6K-SECURE software. Cylance has identified an unforseen method whereby a user authenticated as "guest" or "operator" can escalate privileges to the "factory" account,' Cylance said in its advisory."
This discussion has been archived. No new comments can be posted.

ICS-CERT Warns That Infrastructure Switches Have Hard-Coded Account Holes

Comments Filter:
  • So the alert is that if a hacker can obtain the password for a low-privilege account, they can escalate their privileges to a super-user account. If a hacker can get ANY password for your system, then you are doing it wrong in the first place. Whether it is Janitor Bob's login or the CEO, password strength is a necessity. Especially so for network gear as the traffic passed through a switch like this would make for some interesting exploitative attacks on whatever infrastructure they support.

    But the impo

    • Re:So.... (Score:5, Insightful)

      by Sique (173459) on Wednesday September 05, 2012 @12:33PM (#41236887) Homepage

      Wrong. Completely wrong.

      You are missing the most important aspect.

      There are users with different priviledges for a reason. It is quite possible that a person rightly knows the password for a guest account (for instance for monitoring reasons), but is not entitled any more priviledges.
      If this person then can escalate the guest priviledges to factory, you have a completely different set of problems than password security.

      • if a hacker can obtain the password for a low-privilege account, they can escalate their privileges to a super-user account.

        RTFC. You are just repeating what I said. If Hacker 1 cannot get into Guest Account 1, then this exploit doesn't MATTER. That can be accomplished with password security, VLAN, physical security, IDS, etc.

        It's like the password reset on Cisco products. If you can gain physical access to a Cisco box, you can decrypt the super-user password and do whatever you want. Or you can factory reset it. That is not an exploit. It is a feature, and can be very useful at times. But it depends on another layer of

        • by Endovior (2450520)
          Uh... no, you missed a more important point, there. It's quite crippling if the company can't configure different security levels to actually be, you know, secure... essentially, this vulnerability means that if Janitor Bob has guest access, he can escalate to superuser and walk off with whatever he wants. And since as a company, you want to have most people have limited access and a very few trusted people have full access, this is huge. Sure, it'd be nice if you had everything totally locked down, with
          • Janitor Bob also has keys to the building. So therefore Janitor Bob has physical access to these routers. Therefore in Janitor Bob was a nefarious hacker, he would be able to do anything to that box he wanted, given the numerous ways to hack a router when you have physical access.

    • If a hacker can get ANY password for your system, then you are doing it wrong in the first place.

      By "doing it wrong" I assume you meant "employing human beings" since it's been repeatedly proven that normal human employees will trade their passwords for sex, chocolate, or free theatre tickets.

      • Fffft, how expensive. Most people will gladly trade it for the promise that you won't let the sky come down falling on them, i.e. you don't close their WoW accounts.

      • by mcgrew (92797) * on Wednesday September 05, 2012 @03:03PM (#41238707) Homepage Journal

        The studies I saw that showed that "normal human employees will trade their passwords for sex, chocolate, or free theatre tickets" had a HUGE flaw -- they didn't check to see if the respondants were lying when they gave "their" password. Hell, if someone offered me sex for my password, I'd say "sure, it's swordfish." Which it isn't really, but I'd still get laid.

    • by sjames (1099)

      It's not at all unusual in a switch or router to have some people (or role accounts) authorized for monitoring only and others authorized to have full administrative control.

      This flaw effectively removed the difference and silently granted all users the ability to become root.

    • by vlm (69642)

      I'm not familiar with the gear that has the "exploit" but I'm assuming its vlan capable, and none of my vlan capable switches have ever been accessible by anyone but the SNMP management console machine and the network admin's desk and a couple other "secure" locations. By design not as simple as plug into an ethernet jack in the conference room and telnet in...

      If this hardware isn't vlan capable I'm not sure what they're thinking WRT the design. Probably some GD software patent on the concept of having a

  • Thomas Gabriel warned them! And they ignored him!
  • For not using Cisco Gear. ...

    *ducks*

    • by Shoten (260439) on Wednesday September 05, 2012 @12:47PM (#41237071)

      For not using Cisco Gear. ...

      *ducks*

      Cisco gear isn't suitable for most of the environments where this stuff goes. There's a whole world of networking applications that require industrial hardness. No cooling fans or vents, a form factor to fit on DIN rails [wikipedia.org], and even intrinsically safe (i.e., won't make sparks that would ignite flammable gases) characteristics. Oh, also...tolerance to heat (small substations don't have cooled server rooms, for example, and neither do a lot of facilities in the oil/gas world), hardened ability to resist RF and EM interference, being sealed against dust...the list goes on and on.

      Cisco and the companies you're used to have largely foregone this market, leaving it to companies like RuggedCom, Hirschmann, GarrettCom, and the like. Cisco does have a line of gear that aims at this market, but they just introduced it, the line is relatively small, and they don't have much traction yet. I work in this field, myself, and I like Cisco gear; I'll put it in wherever I can, when doing a design. But for a lot of cases, you simply *can't* use it, at all.

      • I would say even if your non industrial hardened switches are throwing sparks, it is time to get some new gear.
        • by rdunnell (313839) on Wednesday September 05, 2012 @01:14PM (#41237409)

          That's not exactly the point. Sure, if a switch is sparking, then it is broken. The point of this gear is that it has been built such that if it breaks, it won't be able to emit dangerous sparks that might do something like cause an explosion in the presence of a buildup of gas or whatever. It still has to be replaced, just like the non-hardened switch, but it is less risky to deploy in an environment where such hazards might be present.

        • by schitso (2541028) on Wednesday September 05, 2012 @01:15PM (#41237421)
          There's a difference between "shouldn't spark" and "will never spark, ever". Especially in environments where there is the possibility of a release of explosive gases.
      • by vlm (69642)

        and even intrinsically safe (i.e., won't make sparks that would ignite flammable gases) characteristics.

        OK I'll bite. How does garrettcom do this? I mean at the ISO level 1 electrical/hardware characteristics? I'm guessing its a huge challenge to do PoE that cannot theoretically spark when you yank a current carrying cable out of a jack. Maybe physical lock holds the ethernet plug in and unlocking the plug powers down the PoE faster than you can yank the cable, or some ridiculous arrangement with constant current source and a SCR crowbar ckt if the voltage rises too high aka is arcing? Or they just don't

        • I am not an intrinsic safety expert but my thoughts:

          Modern ethernet (from 10base-T forward) is AC coupled and the signal levels are pretty small, so they may well be low enough that they can be exposed externally provided appropriate protection is in place (and NO POE of course). I doubt anyone cares about 10base-2 and 10base-5 at this point.

          As for circuits that must not be exposed to the explosive atmosphere I would guess they usually hardwire it through special glands. If it has to go through connectors t

    • by mcgrew (92797) *

      I tried making a router out of ducks once, it didn't work too well.

      • by Dishevel (1105119)

        I have never made a router out of ducks but I did once create a switch out of ducks.
        Worked great for situations where you wanted high bandwidth and could live with really bad latency.

  • God forbid I have someone come over for dinner and they're unable to login to my infrastructure switches and peruse the configs!

    • by vlm (69642)

      God forbid I have someone come over for dinner and they're unable to login to my infrastructure switches and peruse the configs!

      In years past I've had repeated experiences with Cisco TAC along the lines of "I donno we've never seen anything like that before, mind if we log in and take a look?"

      This is for stuff that takes more than "show tech" or where "show tech" looks so weird they need more data.

      Needless to say this was at an ISP with a hardware budget best expressed in scientific notation, not home user with a $79 smart switch.

      Its not as unlikely as you'd think.

      The funny part is they always reboot and if that doesn't work swap ha

  • Good to see you provide a useful service for a change.

    Now, get out of my pants!

  • by camperdave (969942) on Wednesday September 05, 2012 @12:57PM (#41237209) Journal
    Wait a minute... Isn't the Department of Homeland Security the one that *wants* backdoor access to everything? After all, you can't put locks on your luggage unless they have a DHS backdoor. Why are they warning us about this? I'm confused. Are we supposed to be rooting for them now?
    • Are we supposed to be rooting for them now?

      That depends -- exactly how do you mean that?

      :-P

    • by fa2k (881632)

      Wait a minute... Isn't the Department of Homeland Security the one that *wants* backdoor access to everything?

      From TFS: "A researcher at Cylance discovered the hidden account and warned the ICS-CERT." If it's out in public, it's of no use to them.

      It would be refreshing to have a similar level of objectivity as in this story the next time a backdoor is found in a Chinese switch..

  • Readme.txt (Score:5, Funny)

    by ThatsNotPudding (1045640) on Wednesday September 05, 2012 @12:58PM (#41237215)
    "Users are also instructed to pencil-in quotation marks around the word 'SECURE' in all of devices' badges and documentation."
  • This is progress (Score:4, Insightful)

    by Animats (122034) on Wednesday September 05, 2012 @01:23PM (#41237515) Homepage

    We're making progress on disclosure. A few years ago, companies screamed when somebody found and published information about a hole in their products. Now the disclosures are given wide distribution by the U.S. Government's anti-terrorist agency.

    That sort of thing makes a big difference when big purchasing decisions are being made. "Homeland Security says that company's products are insecure" can easily lose a company a big sale.

  • by davidwr (791652) on Wednesday September 05, 2012 @01:46PM (#41237749) Homepage Journal

    However, if they can be abused then we have a problem.

    I wouldn't necessarily call it a "factory" account, but the well-known way to reset the LOCAL administrator password in a Microsoft Windows Active Directory Domain Account then using other "offline" means has saved more than a few Network Administrators time and possibly their jobs, BUT if such a technique were known to be exploitable remotely, all hell would break loose.

    If a box I'm running has a factory-backdoor, I generally have several requirements from the vendor:
    * I know it has a backdoor
    * I know what physical access, if any, is required to use the backdoor
    * I know how to turn it off, or I know that it can't be turned off and accept the risk. Where physical access is required, locking up the device "turns off" the back-door.
    * I know how to make it tamper-evident or I know I can't and accept the risk. If physical access is required, a seal across the door leading to the equipment room provided tamper-evidence.

  • Why don't they run these SCADA [wikipedia.org] units over a VPN [wikipedia.org] circuit run on embedded hardware [wikipedia.org]?

"Don't worry about people stealing your ideas. If your ideas are any good, you'll have to ram them down people's throats." -- Howard Aiken

Working...