This afternoon the DHS ICS-CERT published an advisory for GarrettCom Ethernet switches. The advisory describes multiple vulnerabilities in GarrettCom’s Magnum 6k and Magnum 10k product lines. The vulnerabilities were reported by Ashish Kamble of Qualys Security and Eireann Leverett. GarrettCom has produced new firmware versions to correct these vulnerabilities and ICS-CERT reports that Kamble has validated the efficacy of the fixes.
The reported vulnerabilities are:
∙ Use of hard-coded credentials, CVE-2015-3960 and CVE-2015-3959; and
∙ External control of assumed-immutable web parameter, CVE-2015-3961
It looks like there is a typo in the advisory where ICS-CERT usually reports the difficulty of exploiting the vulnerabilities; they repeat the previous comment about no known public exploits. Based upon past reports, however, I would suspect that a relatively low skilled attacker could remotely exploit the vulnerability.
Interestingly the Belden GarrettCom release note calls one of the hard-coded credential vulnerabilities an ‘SSL key exposure’ vulnerability. They explain that it is “possible for certain security keys of the Belden Garrettcom 10K and 6K products to be deciphered potentially posing a man-in-the-middle security threat when using HTTPS to communicate with the device”. The also maintain that the remaining hard-coded credential vulnerability only applies to a privileged account that “is actually not enabled in the operating switch”.
ICS-CERT notes that these two new firmware releases were made available in December of last year and January of this year. It is possible that some of these devices have already been fixed. The earlier release contained a number of other, non-security bug fixes. It is interesting that it has taken so long for this advisory to be published by ICS-CERT. I would assume that it was due to communications issues.