The Department of Homeland Security is warning users of some of GarrettCom’s switches that there is a hard-coded password in a default account on the devices, which are deployed in a number of critical infrastructure industries, that could allow an attacker to take control of them.
A researcher at Cylance discovered the hidden account and warned the ICS-CERT, the arm of the DHS that handles security threats and information for critical infrastructure systems. The problem exists in the GarrettCom Magnum MNS-6K Management Software and the company has released an updated version of the application that addresses the vulnerability. A major mitigating factor for the issue is that an attacker would need to have access to an existing account on an affected switch in order to exploit the vulnerability to escalate his privileges.
“The Magnum MNS-6K Management Software uses an undocumented hard-coded password that could allow an attacker with access to an established device account to escalate privileges to the administrative or full-access level. While an attacker must use an established account on the device under attack, this vulnerability facilitates the circumvention of physical-connect safeguards and could allow complete administrative level access to the system, compromising system confidentiality, integrity, and availability,” the ICS-CERT advisory says.
“Successful exploitation of this vulnerability from an established account on the system could allow escalation of privileges to full administrative access. The privilege escalation could provide the attacker a vector for making changes to settings, or initiating a complete device shutdown causing a denial of service (DoS).”
GarrettCom’s switches are used in a variety of industries, including transportation, utilities and defense. The company issued a new version of the affected software in May, but didn’t note that the fix for this vulnerability was included in it.
“A ‘factory’ account intended to only be allowed to log in over a local serial console port exists in certain versions of GarrettCom’s MNS-6K and MNS-6K-SECURE software. Cylance has identified an unforseen method whereby a user authenticated as ‘guest’ or ‘operator’ can escalate privileges to the ‘factory’ account,” Cylance said in its advisory.
This is the second warning of this kind about bugs in critical infrastructure equipment from ICS-CERT in the last month. In August the group issued an advisory about a string of flaws in the Tiridium Niagara software that were discovered and reported months earlier by researchers Billy Rios and Terry McCorkle.