Managed Ethernet switches produced by GE include the hard-coded private SSL key in a number of network devices. The Ethernet switches that present the security hole are designed for use in industrial and transportation systems. The presence of hard-coded private SSL key could allow an attacker to extract it from the firmware of the switches remotely, as explained by researchers at IOActive who discovered the flaw. The attacker can descrypt SSL traffic by stealing the SSL private key from the firmware.
According to the advisory from ICS-CERT, the affected devices belonging to the GE Multilink Ethernet switch family:
The ICS-CERT also warned about a denial-of-service attack on the switch embedded Web interface, it is possible in fact to degradate the performance of the network device by targeting it with specifically crafted packets.
“The GE Multilink ML800 is subject to unauthorized access via hard-coded credentials. In addition, availability can be impacted through attacks composed of specifically crafted packets to the web server resulting in switch performance degradation. If attacks continue, the web server will be subject to a denial of service,”
“The RSA private key used to decrypt SSL traffic in the switch can be obtained from the firmware allowing malicious users to decrypt traffic.”
The ICS-CERT and GE advisory include recommendations to mitigate security issues, regarding the “HARD-CODED RSA PRIVATE KEY” they suggest to update the firmware of the switches, while to address “MITIGATION OF SLOW DATA TRANSFER/DOS” it is recommended to disable web server in a production environment.
HARD-CODED RSA PRIVATE KEY
“GE recommends that its customers update the switch firmware to the latest published version to enable new keys to be calculated and exchanged. The latest firmware is Version 4.2.1 for the ML800, ML1200, ML1600 and ML2400 and Version 5.2.0 for the ML810, ML3000, and ML3100. Firmware updates are available from GE through the “Resources/Software” link in the product brochures. ICS-CERT and GE recommend updating the switch over a serial connection to prevent an attacker from capturing the new key.”
MITIGATION OF SLOW DATA TRANSFER/DOS
“This denial-of-service attack affects the web interface used to configure the device with a web browser. It is recommended that when deploying the device into a production environment that the web server be disabled in order to effectively mitigate this vulnerability. After disabling the web interface, a user remains able to configure the device locally or remotely through the command line interfaces without risk of this attack. By connecting to the command line interface through serial terminal or telnet, it is possible to disable the web server.” reads the advisory.
The Product Bulletin issued by IOActive provides more details on the security flaws, including the instructions on deploying the updated firmware.
(Security Affairs – GE Ethernet switches, hacking)