A month ago ICS-CERT published an advisory for a hard-coded root credential vulnerability in the ORing DIN-Rail Device Server that was reported in an uncoordinated disclosure by Reid Wightman, then working with DigitalBond. Reid’s blog post about that vulnerability reported that the same vulnerability existed in Korenix Jetport 5600. In fact, he noted that the backdoors were identical and “the firmwares are eerily similar”. Today, ICS-CERT published the advisory for the Jetport 5600.
Unlike the earlier advisory where ICS-CERT threw the vendor under the bus for failure to correct the deficiency, ICS-CERT reports that Korenix has developed an upgraded version of the firmware that removes the root and guest accounts as well as the current version of OpenSSL. The advisory doesn’t note, however, that anyone has confirmed that this corrects the problem.
If Reid is right about the two devices sharing the same firmware, then this update should also correct the problem in the ORing server. I wonder if anyone has checked this out?
Where’s the Alerts?
Okay, I tried to avoid it, but I just have to ask. Why wasn’t there an alert published back in June when Reid published his blog post about the vulnerability (complete with exploit code) about both of these systems? Wouldn’t the owners of these devices (most of which had probably never heard of DigitalBond) want to know that they were vulnerable to having their system completely taken over by anyone with an interest in messing with them?