Industrial Switches from different Vendors Impaired by Similar Exposures
Industrial switches are made using universal firmware developed by Korenix Technology, a leading provider for industrial networking solutions based in Taiwan. As a result, nearly all industrial switches in the market today are currently suffering from similar exposures, regardless of your vendor.
SEC Consult, a cyber-security consultancy based in Austria, was the first to discover these exposures. Since mid-April in 2020, the Atos-owned organization has struggled to have the security loopholes fixed in vain. However, Korenix took close to one year before finally introducing patches.
Korenix has developed another firmware that the organization incorporates in its JetNet industrial switches. Other organizations that use the Korenix firmware include Pepperl+Fuchs and Westermo.
The two organizations use the firmware for Comtrol RocketLinx industrial switches and PMI-110-F2G, respectively. Beijer Electronics Group owns both Westermo and Korenix. According to SEC Consult, gadgets from these two companies come with a partially similar firmware base. Further, similar vulnerabilities afflict them (the devices).
SEC Consult experts have identified five different vulnerability types, which they have rated based on how high or critical they are. Further, the vulnerabilities have been allocated the Common Vulnerabilities and Exposures (CVE) identifiers CVE-2020-12500 over CVE-2020-12504. These vulnerabilities include:
- Backdoor account
- Device administration
- Cross-site request forgery (CSRF)
Trivial File Transfer Protocol (TFTP) file write/read issues. According to Thomas Weber, an SEC Consult researcher:
“This TFTP server can be abused to read all files from the system as the daemon runs as root which results in a password hash exposure via the file /etc/passwd. Write access is restricted to certain files (configuration, certificates, boot loader, firmware upgrade), though. By uploading malicious Quagga config files, an attacker can modify, e.g., the IP settings of the device. Malicious firmware and bootloader uploads are possible too. All of the security holes impact several RocketLinx ES switches, and three of them only affect some ICRL switches.”
When cybercriminals can gain network access to the intended gadget, they can:
- Acquire sensitive data
- Make unapproved configuration changes
- Trigger it to assume a Disk Operating System (DoS) condition. Fixing these problems requires users to press the reset button at the switch to activate the reconfiguring procedure.
Attackers can leverage these vulnerabilities to seize control of a device. Affected gadgets are often used in the following industries:
- Heavy machinery
- Energy and power
Thomas Weber, the researcher at SEC Consult who identified these exposures, says that the switches are utilized in various significant positions across the network. Cybercriminals may take advantage of the exposures to disconnect network connections to linked systems.
According to Weber, he only identified a few affected gadgets as being vulnerable across the internet. In theory, the Cross-Site Request Forgery (CSRF) limitations can come in handy to facilitate direct attacks from the internet. However, the researcher highlighted that implementing Cross-Site Request Forgery (CSRF) security in website browsers can complicate the exploitation.
Pepperl+Fuchs released some workarounds and patches sometime last year after receiving notifications about the vulnerabilities. However, the company gave a limited response seeing that the faults were present in the Korenix firmware.
Initial efforts from SEC Consult to convince Korenix into patching the flaws only started bearing fruit close to the end of November 2020, when the company was preparing to publicize its findings.
Representatives from Beijer contacted SEC Consult after Hacker Combat sought clarifications. The cyber-security organization postponed its advisory to allow the vendor enough time to issue patches. According to SEC Consult, there was a notable improvement in communication following Beijer’s acquisition of the disclosure process.
Apart from availing firmware updates to patch the flaws, Korenix has published various recommendations aimed at preventing possible attacks, such as;
- Firewall configuration to safeguard the switches from attacks emanating from external sources
- Enforcing security best practices
- Restricting device access
Beijer Electronics told Hacker Combat that it had joined forces with SEC Consult to determine the right timing to release the advisory to the public. However, the company is sad that the advisory features PoC (Proof-of-Concept) code and additional information that cyber attackers can leverage to initiate customer systems attacks.