Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

ICS-CERT Warns That Infrastructure Switches Have Hard-Coded Account Holes

Unknown Lamer posted more than 2 years ago | from the password-is-a-good-password-right dept.

Bug 60

Trailrunner7 writes with news of more critical infrastructure not being well secured. From the article: "The Department of Homeland Security is warning users of some of GarrettCom's switches that there is a hard-coded password in a default account on the devices, which are deployed in a number of critical infrastructure industries, that could allow an attacker to take control of them. A researcher at Cylance discovered the hidden account and warned the ICS-CERT...The problem exists in the GarrettCom Magnum MNS-6K Management Software and the company has released an updated version of the application that addresses the vulnerability. GarrettCom's switches are used in a variety of industries, including transportation, utilities and defense. The company issued a new version of the affected software in May, but didn't note that the fix for this vulnerability was included in it. 'A "factory" account intended to only be allowed to log in over a local serial console port exists in certain versions of GarrettCom's MNS-6K and MNS-6K-SECURE software. Cylance has identified an unforseen method whereby a user authenticated as "guest" or "operator" can escalate privileges to the "factory" account,' Cylance said in its advisory."

Sorry! There are no comments related to the filter you selected.

An unforseen method (0)

Anonymous Coward | more than 2 years ago | (#41236489)

They enter the hardcoded password.

Re:An unforseen method (5, Insightful)

Trepidity (597) | more than 2 years ago | (#41236555)

Well, yes, but it sounds like the intention was that this method of authentication should only be available via the serial console.

My guess from the description is that they blocked non-console logins as the 'factory' user, but forgot about the equivalent of 'su', so you can login as another user and then escalate. Sort of like blocking ssh login as root, but having a guest account and a published root password: someone can still ssh as the guest account and then escalate to root.

Re:An unforseen method (2)

Opportunist (166417) | more than 2 years ago | (#41237345)

So what if it "should" be? I don't care what "should" be. My question is not why it exists, my question is why
a) I don't know about it as the customer
b) I cannot disable it
c) it is enabled by default.

Re:An unforseen method (0)

Anonymous Coward | more than 2 years ago | (#41237483)

whoooooah. neckbeard hardass!

Re:An unforseen method (1)

Baloroth (2370816) | more than 2 years ago | (#41237485)

So what if it "should" be? I don't care what "should" be. My question is not why it exists, my question is why a) I don't know about it as the customer b) I cannot disable it c) it is enabled by default.

a) Because you shouldn't need to

b) and c) are the same: because part of the point is to regain access to the device if a customer screws up the account login. It's meant as a failsafe. Not much of a failsafe if they can just disable it (or if it can be disabled by accident for that matter). No, devices like that shouldn't be used in highly sensitive work, but it is a pretty widespread practice in the industry to have such backdoors.

Re:An unforseen method (2)

Trepidity (597) | more than 2 years ago | (#41237649)

If it's correctly implemented, so it really can only be accessed via the serial console, it's also not a huge deal in common applications. If someone has access to the serial console, you're generally hosed, since few networks are designed to be robust against an adversary with physical access: there's all sorts of mischief you can cause if you're physically present in the server room, and can plug devices into the routers or patch into cables at will.

Re:An unforseen method (0)

Anonymous Coward | more than 2 years ago | (#41239213)

So what if it "should" be? I don't care what "should" be. My question is not why it exists, my question is why
a) I don't know about it as the customer
b) I cannot disable it
c) it is enabled by default.

a) Because you shouldn't need to
 

It doesn't work that way. If there is an hardcoded account with a default password, it will get out. Because someone will know, someone will use it, someone will eventually leak the information.

Re:An unforseen method (1)

someones (2687911) | more than 2 years ago | (#41239895)

So what?
if you rely on security thru obscurity, please, PLEASE, immidiately resign from any work related to the network/system security field.

So.... (0)

Sparticus789 (2625955) | more than 2 years ago | (#41236559)

So the alert is that if a hacker can obtain the password for a low-privilege account, they can escalate their privileges to a super-user account. If a hacker can get ANY password for your system, then you are doing it wrong in the first place. Whether it is Janitor Bob's login or the CEO, password strength is a necessity. Especially so for network gear as the traffic passed through a switch like this would make for some interesting exploitative attacks on whatever infrastructure they support.

But the important take-away from this is simple, "password" or "12345" or any 1337 derivative of those passwords should not be used for absolutely anything. Passwords which maximize entropy or multi-factor authentication is the best way to go.

Re:So.... (0)

Anonymous Coward | more than 2 years ago | (#41236857)

So what if Jim Bob who is working as an intern engineer on the management systems (who only happens to have access to SNMP & logging related commands) decides he wants to exploit the system?

Re:So.... (4, Insightful)

Sique (173459) | more than 2 years ago | (#41236887)

Wrong. Completely wrong.

You are missing the most important aspect.

There are users with different priviledges for a reason. It is quite possible that a person rightly knows the password for a guest account (for instance for monitoring reasons), but is not entitled any more priviledges.
If this person then can escalate the guest priviledges to factory, you have a completely different set of problems than password security.

Re:So.... (-1)

Anonymous Coward | more than 2 years ago | (#41237191)

It's "privilege", no "d"...

Re:So.... (1)

Sparticus789 (2625955) | more than 2 years ago | (#41238745)

if a hacker can obtain the password for a low-privilege account, they can escalate their privileges to a super-user account.

RTFC. You are just repeating what I said. If Hacker 1 cannot get into Guest Account 1, then this exploit doesn't MATTER. That can be accomplished with password security, VLAN, physical security, IDS, etc.

It's like the password reset on Cisco products. If you can gain physical access to a Cisco box, you can decrypt the super-user password and do whatever you want. Or you can factory reset it. That is not an exploit. It is a feature, and can be very useful at times. But it depends on another layer of security, preventing unauthorized physical access to the box. This "exploit" depends on the system already being exploited in the first place.

Re:So.... (1)

Endovior (2450520) | more than 2 years ago | (#41239779)

Uh... no, you missed a more important point, there. It's quite crippling if the company can't configure different security levels to actually be, you know, secure... essentially, this vulnerability means that if Janitor Bob has guest access, he can escalate to superuser and walk off with whatever he wants. And since as a company, you want to have most people have limited access and a very few trusted people have full access, this is huge. Sure, it'd be nice if you had everything totally locked down, with the background checks on your janitors as intensive as those on your administrators... but since that's a huge deal of expense, it makes a lot more sense to simply make sure that your janitors don't actually have access to anything sensitive. The fact that this security flaw also means that any of your passwords are gold to hackers is just a side effect.

Re:So.... (1)

Sparticus789 (2625955) | more than 2 years ago | (#41246519)

Janitor Bob also has keys to the building. So therefore Janitor Bob has physical access to these routers. Therefore in Janitor Bob was a nefarious hacker, he would be able to do anything to that box he wanted, given the numerous ways to hack a router when you have physical access.

Re:So.... (0)

Anonymous Coward | more than 2 years ago | (#41236905)

This is still an issue regardless of whether the sysop is doing his job right or not because of local privilege escalation.

I want to hire some of those cyborgs you use. (2)

Medievalist (16032) | more than 2 years ago | (#41237023)

If a hacker can get ANY password for your system, then you are doing it wrong in the first place.

By "doing it wrong" I assume you meant "employing human beings" since it's been repeatedly proven that normal human employees will trade their passwords for sex, chocolate, or free theatre tickets.

Re:I want to hire some of those cyborgs you use. (1)

Opportunist (166417) | more than 2 years ago | (#41237411)

Fffft, how expensive. Most people will gladly trade it for the promise that you won't let the sky come down falling on them, i.e. you don't close their WoW accounts.

Re:I want to hire some of those cyborgs you use. (3, Funny)

mcgrew (92797) | more than 2 years ago | (#41238707)

The studies I saw that showed that "normal human employees will trade their passwords for sex, chocolate, or free theatre tickets" had a HUGE flaw -- they didn't check to see if the respondants were lying when they gave "their" password. Hell, if someone offered me sex for my password, I'd say "sure, it's swordfish." Which it isn't really, but I'd still get laid.

Re:So.... (1)

sjames (1099) | more than 2 years ago | (#41237101)

It's not at all unusual in a switch or router to have some people (or role accounts) authorized for monitoring only and others authorized to have full administrative control.

This flaw effectively removed the difference and silently granted all users the ability to become root.

Re:So.... (1)

vlm (69642) | more than 2 years ago | (#41237981)

I'm not familiar with the gear that has the "exploit" but I'm assuming its vlan capable, and none of my vlan capable switches have ever been accessible by anyone but the SNMP management console machine and the network admin's desk and a couple other "secure" locations. By design not as simple as plug into an ethernet jack in the conference room and telnet in...

If this hardware isn't vlan capable I'm not sure what they're thinking WRT the design. Probably some GD software patent on the concept of having a management VLAN. Although I know cisco and netgear switches both have this concept, so at least its widely licensed.

It's a fire sale! (2)

Iniamyen (2440798) | more than 2 years ago | (#41236643)

Thomas Gabriel warned them! And they ignored him!

WHO? (0)

Anonymous Coward | more than 2 years ago | (#41236647)

Who the heck is GARRETTCOM? Why not go with an industry leader like CISCO, 3COM, D-LINK, Netgear, ETC?

Re:WHO? (1)

Shatrat (855151) | more than 2 years ago | (#41236667)

Because they make affordable NEBS compliant DC powered switches.

Re:WHO? (2)

Shatrat (855151) | more than 2 years ago | (#41236693)

PS, D-Link and Netgear? This isn't 'mom's basement' applications, it's telecom and other utilities.

Re:WHO? (4, Informative)

OAB_X (818333) | more than 2 years ago | (#41237083)

Cisco, D-Link, Netgear, etc. do not make (much) industrial temp (-40 to +80C, very high EMI/static discharge tolerances, etc.) networking equipment.

Garrettcom was not the only company in the industry to be caught doing the same thing (see: http://it.slashdot.org/story/12/04/25/1456210/backdoor-in-ruggedos-systems-infrastructure-military-systems-vulnerable [slashdot.org] ). Not the latter one has according to the company been patched out in the latest software release.

Re:WHO? (1)

Shatrat (855151) | more than 2 years ago | (#41238315)

Cisco does make C-temp NEBS compliant switches, they just charge Cisco prices for it. See the ME-3400.
For I-temp rated stuff I don't know of any off the top of my head, but only because we generally don't deploy active gear in non-environmental enclosures.

Re:WHO? (0)

Anonymous Coward | more than 2 years ago | (#41245353)

I'm a controls engineer working in industrial automation and process control. MOXA and Hirschmann are excellent brands for industrial stuff, and in North America Allen-Bradley makes Stratix switches that are pretty decent, although they charge like they are gold plated. Wouldn't dream of using Cisco crap in real industrial environments. This is of course yet another example of how critical infrastructure networks never seem to get the level of scrutiny that they deserve.

That's what you get (2)

kiriath (2670145) | more than 2 years ago | (#41236837)

For not using Cisco Gear. ...

*ducks*

Re:That's what you get (0)

Anonymous Coward | more than 2 years ago | (#41236941)

We're a govt agancy and use only Cisco gear.... which some tinfoil hatters think only comes with govt-approved (and govt-sponsored) backdoors :D

Re:That's what you get (4, Informative)

Shoten (260439) | more than 2 years ago | (#41237071)

For not using Cisco Gear. ...

*ducks*

Cisco gear isn't suitable for most of the environments where this stuff goes. There's a whole world of networking applications that require industrial hardness. No cooling fans or vents, a form factor to fit on DIN rails [wikipedia.org] , and even intrinsically safe (i.e., won't make sparks that would ignite flammable gases) characteristics. Oh, also...tolerance to heat (small substations don't have cooled server rooms, for example, and neither do a lot of facilities in the oil/gas world), hardened ability to resist RF and EM interference, being sealed against dust...the list goes on and on.

Cisco and the companies you're used to have largely foregone this market, leaving it to companies like RuggedCom, Hirschmann, GarrettCom, and the like. Cisco does have a line of gear that aims at this market, but they just introduced it, the line is relatively small, and they don't have much traction yet. I work in this field, myself, and I like Cisco gear; I'll put it in wherever I can, when doing a design. But for a lot of cases, you simply *can't* use it, at all.

Re:That's what you get (1)

Mister Whirly (964219) | more than 2 years ago | (#41237255)

I would say even if your non industrial hardened switches are throwing sparks, it is time to get some new gear.

Re:That's what you get (3, Informative)

rdunnell (313839) | more than 2 years ago | (#41237409)

That's not exactly the point. Sure, if a switch is sparking, then it is broken. The point of this gear is that it has been built such that if it breaks, it won't be able to emit dangerous sparks that might do something like cause an explosion in the presence of a buildup of gas or whatever. It still has to be replaced, just like the non-hardened switch, but it is less risky to deploy in an environment where such hazards might be present.

Re:That's what you get (4, Informative)

schitso (2541028) | more than 2 years ago | (#41237421)

There's a difference between "shouldn't spark" and "will never spark, ever". Especially in environments where there is the possibility of a release of explosive gases.

Re:That's what you get (0)

Anonymous Coward | more than 2 years ago | (#41237435)

You're making a joke, but it's got more to do with failure modes. If having your power supply fail blows up the factory, that's bad design.

Re:That's what you get (1)

vlm (69642) | more than 2 years ago | (#41238053)

and even intrinsically safe (i.e., won't make sparks that would ignite flammable gases) characteristics.

OK I'll bite. How does garrettcom do this? I mean at the ISO level 1 electrical/hardware characteristics? I'm guessing its a huge challenge to do PoE that cannot theoretically spark when you yank a current carrying cable out of a jack. Maybe physical lock holds the ethernet plug in and unlocking the plug powers down the PoE faster than you can yank the cable, or some ridiculous arrangement with constant current source and a SCR crowbar ckt if the voltage rises too high aka is arcing? Or they just don't sell PoE, which is probably the simplest solution? But aren't there some of the zillions of copper ethernet standards with what used to be called in the telecom world "simplex current" so even just being non-PoE won't help? Old fashioned FDDI would seem to be the simplest intrinsically safe solution.

TLDR: curious at a hardware/electrical/EE level how intrinsically safe PoE works.

Re:That's what you get (1)

petermgreen (876956) | more than 2 years ago | (#41240095)

I am not an intrinsic safety expert but my thoughts:

Modern ethernet (from 10base-T forward) is AC coupled and the signal levels are pretty small, so they may well be low enough that they can be exposed externally provided appropriate protection is in place (and NO POE of course). I doubt anyone cares about 10base-2 and 10base-5 at this point.

As for circuits that must not be exposed to the explosive atmosphere I would guess they usually hardwire it through special glands. If it has to go through connectors they would use special (and expensive) sealed and interlocked ones.

I'd think the biggest problem for equipment in potentially explosive atmospheres would be cooling since enclosures would have to have a gas-tight seal.

Re:That's what you get (1)

mcgrew (92797) | more than 2 years ago | (#41237585)

I tried making a router out of ducks once, it didn't work too well.

Re:That's what you get (1)

Dishevel (1105119) | more than 2 years ago | (#41238747)

I have never made a router out of ducks but I did once create a switch out of ducks.
Worked great for situations where you wanted high bandwidth and could live with really bad latency.

A guest account? (1)

m6tt (263581) | more than 2 years ago | (#41236871)

God forbid I have someone come over for dinner and they're unable to login to my infrastructure switches and peruse the configs!

Re:A guest account? (2)

vlm (69642) | more than 2 years ago | (#41238111)

God forbid I have someone come over for dinner and they're unable to login to my infrastructure switches and peruse the configs!

In years past I've had repeated experiences with Cisco TAC along the lines of "I donno we've never seen anything like that before, mind if we log in and take a look?"

This is for stuff that takes more than "show tech" or where "show tech" looks so weird they need more data.

Needless to say this was at an ISP with a hardware budget best expressed in scientific notation, not home user with a $79 smart switch.

Its not as unlikely as you'd think.

The funny part is they always reboot and if that doesn't work swap hardware... its just a delaying tactic or to make the customer feel better, as far as I know.

Thanks DHS! (1)

fustakrakich (1673220) | more than 2 years ago | (#41236947)

Good to see you provide a useful service for a change.

Now, get out of my pants!

Re:Thanks DHS! (0)

Anonymous Coward | more than 2 years ago | (#41237141)

I'm not even going to ask why you have a GarrettCom switch in your pants. But hey, whatever gets you through the night.

Re:Thanks DHS! (0)

Anonymous Coward | more than 2 years ago | (#41237295)

It's because Cisco switches have fans. And we all know how painful that can be.

Re:Thanks DHS! (1)

Anonymous Coward | more than 2 years ago | (#41237347)

And we all know how painful that can be.

That settle it. I am so NOT going to the Network Admin Happy Hour this Friday.

GarretCom (0)

Anonymous Coward | more than 2 years ago | (#41237165)

Lots of devices have this issue. It looks like GarrettComm pissed of the wrong person.

Wait a minute... (2)

camperdave (969942) | more than 2 years ago | (#41237209)

Wait a minute... Isn't the Department of Homeland Security the one that *wants* backdoor access to everything? After all, you can't put locks on your luggage unless they have a DHS backdoor. Why are they warning us about this? I'm confused. Are we supposed to be rooting for them now?

Re:Wait a minute... (0)

Anonymous Coward | more than 2 years ago | (#41237285)

You don't get it. They want unlimited access to YOUR stuff. This is somebody ELSE having access to corporate stuff, and we absolutely must protect corporations at all costs.

Re:Wait a minute... (1)

Dins (2538550) | more than 2 years ago | (#41237509)

I don't give a shit about corporations. I do give a shit about the network hardware controlling the local nuclear power plant.

Re:Wait a minute... (1)

MickyTheIdiot (1032226) | more than 2 years ago | (#41237663)

Your congresscritter:
"I don't give a shit about the local nuclear power plant. I do give a shit about the network hardware controlling corporations."

You see, one pays much better than the other.

Explanation, please. (2)

zooblethorpe (686757) | more than 2 years ago | (#41237299)

Are we supposed to be rooting for them now?

That depends -- exactly how do you mean that?

:-P

Re:Wait a minute... (0)

Anonymous Coward | more than 2 years ago | (#41237417)

ICS-CERT, US-CERT and the like have been part of DHS since its inception. You're surprised that the executive department responsible for infrastructure, telecommunications and networking security provides guidance and warnings about things that compromise those?

Re:Wait a minute... (1)

fa2k (881632) | more than 2 years ago | (#41237449)

Wait a minute... Isn't the Department of Homeland Security the one that *wants* backdoor access to everything?

From TFS: "A researcher at Cylance discovered the hidden account and warned the ICS-CERT." If it's out in public, it's of no use to them.

It would be refreshing to have a similar level of objectivity as in this story the next time a backdoor is found in a Chinese switch..

Readme.txt (4, Funny)

ThatsNotPudding (1045640) | more than 2 years ago | (#41237215)

"Users are also instructed to pencil-in quotation marks around the word 'SECURE' in all of devices' badges and documentation."

This is progress (3, Insightful)

Animats (122034) | more than 2 years ago | (#41237515)

We're making progress on disclosure. A few years ago, companies screamed when somebody found and published information about a hole in their products. Now the disclosures are given wide distribution by the U.S. Government's anti-terrorist agency.

That sort of thing makes a big difference when big purchasing decisions are being made. "Homeland Security says that company's products are insecure" can easily lose a company a big sale.

Re:This is corporatism (0)

Anonymous Coward | more than 2 years ago | (#41238255)

Or it could be a bigger fish calling DHS and saying "you really need to draw attention to this horrific security practice by our smaller competitor with an otherwise technically superior device."

I'm not saying these things shouldn't be reported, but access to regulatory authorities is one of the hallmarks of our system.

proprietary software (0)

Anonymous Coward | more than 2 years ago | (#41237651)

You're using proprietary software on an embedded device, and now you're complaining that it has a backdoor that you didn't know about and can't change?
http://xkcd.com/743/

Factory accounts serve a useful purpose (4, Informative)

davidwr (791652) | more than 2 years ago | (#41237749)

However, if they can be abused then we have a problem.

I wouldn't necessarily call it a "factory" account, but the well-known way to reset the LOCAL administrator password in a Microsoft Windows Active Directory Domain Account then using other "offline" means has saved more than a few Network Administrators time and possibly their jobs, BUT if such a technique were known to be exploitable remotely, all hell would break loose.

If a box I'm running has a factory-backdoor, I generally have several requirements from the vendor:
* I know it has a backdoor
* I know what physical access, if any, is required to use the backdoor
* I know how to turn it off, or I know that it can't be turned off and accept the risk. Where physical access is required, locking up the device "turns off" the back-door.
* I know how to make it tamper-evident or I know I can't and accept the risk. If physical access is required, a seal across the door leading to the equipment room provided tamper-evidence.

SCADA default insecurity? (1)

dgharmon (2564621) | more than 2 years ago | (#41241807)

Why don't they run these SCADA [wikipedia.org] units over a VPN [wikipedia.org] circuit run on embedded hardware [wikipedia.org] ?
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?