There is a hard-coded private SSL key present in a number of hardened, managed Ethernet switches made by GE and designed for use in industrial and transportation systems. Researchers discovered that an attacker could extract the key from the firmware remotely.
The vulnerability exists in a number of GE Ethernet switches, including the GE Multilink ML800/1200/1600/2400 Version 4.2.1and prior and GE Multilink ML810/3000/3100 series switch Version 5.2.0 and prior. Researchers at IOActive discovered the vulnerability, and found that it could be exploited remotely. The vulnerability has been disclosed publicly already.
“The GE Multilink ML800 is subject to unauthorized access via hard-coded credentials. In addition, availability can be impacted through attacks composed of specifically crafted packets to the web server resulting in switch performance degradation. If attacks continue, the web server will be subject to a denial of service,” the advisory from ICS-CERT says.
“The RSA private key used to decrypt SSL traffic in the switch can be obtained from the firmware allowing malicious users to decrypt traffic.”
In addition to the hardcoded private key, the IOActive researchers discovered that they could cause a denial-of-service on the Web interface by sending a series of specifically formatted packets.
“This denial-of-service attack affects the web interface used to configure the device with a web browser. It is recommended that when deploying the device into a production environment that the web server be disabled in order to effectively mitigate this vulnerability. After disabling the web interface, a user remains able to configure the device locally or remotely through the command line interfaces without risk of this attack. By connecting to the command line interface through serial terminal or telnet, it is possible to disable the web server,” the advisory says.
The advisory from GE has instructions on obtaining the patched firmware.