ICS-CERT Warns That Infrastructure Switches Have Hard-Coded Account Holes 60
Trailrunner7 writes with news of more critical infrastructure not being well secured. From the article: "The Department of Homeland Security is warning users of some of GarrettCom's switches that there is a hard-coded password in a default account on the devices, which are deployed in a number of critical infrastructure industries, that could allow an attacker to take control of them. A researcher at Cylance discovered the hidden account and warned the ICS-CERT...The problem exists in the GarrettCom Magnum MNS-6K Management Software and the company has released an updated version of the application that addresses the vulnerability. GarrettCom's switches are used in a variety of industries, including transportation, utilities and defense. The company issued a new version of the affected software in May, but didn't note that the fix for this vulnerability was included in it. 'A "factory" account intended to only be allowed to log in over a local serial console port exists in certain versions of GarrettCom's MNS-6K and MNS-6K-SECURE software. Cylance has identified an unforseen method whereby a user authenticated as "guest" or "operator" can escalate privileges to the "factory" account,' Cylance said in its advisory."
Re:An unforseen method (Score:5, Insightful)
Well, yes, but it sounds like the intention was that this method of authentication should only be available via the serial console.
My guess from the description is that they blocked non-console logins as the 'factory' user, but forgot about the equivalent of 'su', so you can login as another user and then escalate. Sort of like blocking ssh login as root, but having a guest account and a published root password: someone can still ssh as the guest account and then escalate to root.
Re: (Score:3)
So what if it "should" be? I don't care what "should" be. My question is not why it exists, my question is why
a) I don't know about it as the customer
b) I cannot disable it
c) it is enabled by default.
Re: (Score:2)
So what if it "should" be? I don't care what "should" be. My question is not why it exists, my question is why a) I don't know about it as the customer b) I cannot disable it c) it is enabled by default.
a) Because you shouldn't need to
b) and c) are the same: because part of the point is to regain access to the device if a customer screws up the account login. It's meant as a failsafe. Not much of a failsafe if they can just disable it (or if it can be disabled by accident for that matter). No, devices like that shouldn't be used in highly sensitive work, but it is a pretty widespread practice in the industry to have such backdoors.
Re: (Score:3)
If it's correctly implemented, so it really can only be accessed via the serial console, it's also not a huge deal in common applications. If someone has access to the serial console, you're generally hosed, since few networks are designed to be robust against an adversary with physical access: there's all sorts of mischief you can cause if you're physically present in the server room, and can plug devices into the routers or patch into cables at will.
Re: (Score:1)
So what?
if you rely on security thru obscurity, please, PLEASE, immidiately resign from any work related to the network/system security field.
So.... (Score:1)
So the alert is that if a hacker can obtain the password for a low-privilege account, they can escalate their privileges to a super-user account. If a hacker can get ANY password for your system, then you are doing it wrong in the first place. Whether it is Janitor Bob's login or the CEO, password strength is a necessity. Especially so for network gear as the traffic passed through a switch like this would make for some interesting exploitative attacks on whatever infrastructure they support.
But the impo
Re:So.... (Score:5, Insightful)
Wrong. Completely wrong.
You are missing the most important aspect.
There are users with different priviledges for a reason. It is quite possible that a person rightly knows the password for a guest account (for instance for monitoring reasons), but is not entitled any more priviledges.
If this person then can escalate the guest priviledges to factory, you have a completely different set of problems than password security.
Re: (Score:2)
if a hacker can obtain the password for a low-privilege account, they can escalate their privileges to a super-user account.
RTFC. You are just repeating what I said. If Hacker 1 cannot get into Guest Account 1, then this exploit doesn't MATTER. That can be accomplished with password security, VLAN, physical security, IDS, etc.
It's like the password reset on Cisco products. If you can gain physical access to a Cisco box, you can decrypt the super-user password and do whatever you want. Or you can factory reset it. That is not an exploit. It is a feature, and can be very useful at times. But it depends on another layer of
Re: (Score:2)
Re: (Score:2)
Janitor Bob also has keys to the building. So therefore Janitor Bob has physical access to these routers. Therefore in Janitor Bob was a nefarious hacker, he would be able to do anything to that box he wanted, given the numerous ways to hack a router when you have physical access.
I want to hire some of those cyborgs you use. (Score:3)
By "doing it wrong" I assume you meant "employing human beings" since it's been repeatedly proven that normal human employees will trade their passwords for sex, chocolate, or free theatre tickets.
Re: (Score:2)
Fffft, how expensive. Most people will gladly trade it for the promise that you won't let the sky come down falling on them, i.e. you don't close their WoW accounts.
Re:I want to hire some of those cyborgs you use. (Score:4, Funny)
The studies I saw that showed that "normal human employees will trade their passwords for sex, chocolate, or free theatre tickets" had a HUGE flaw -- they didn't check to see if the respondants were lying when they gave "their" password. Hell, if someone offered me sex for my password, I'd say "sure, it's swordfish." Which it isn't really, but I'd still get laid.
Re: (Score:2)
It's not at all unusual in a switch or router to have some people (or role accounts) authorized for monitoring only and others authorized to have full administrative control.
This flaw effectively removed the difference and silently granted all users the ability to become root.
Re: (Score:2)
I'm not familiar with the gear that has the "exploit" but I'm assuming its vlan capable, and none of my vlan capable switches have ever been accessible by anyone but the SNMP management console machine and the network admin's desk and a couple other "secure" locations. By design not as simple as plug into an ethernet jack in the conference room and telnet in...
If this hardware isn't vlan capable I'm not sure what they're thinking WRT the design. Probably some GD software patent on the concept of having a
It's a fire sale! (Score:2)
Re: (Score:2)
Because they make affordable NEBS compliant DC powered switches.
Re: (Score:3)
PS, D-Link and Netgear? This isn't 'mom's basement' applications, it's telecom and other utilities.
Re:WHO? (Score:5, Informative)
Cisco, D-Link, Netgear, etc. do not make (much) industrial temp (-40 to +80C, very high EMI/static discharge tolerances, etc.) networking equipment.
Garrettcom was not the only company in the industry to be caught doing the same thing (see: http://it.slashdot.org/story/12/04/25/1456210/backdoor-in-ruggedos-systems-infrastructure-military-systems-vulnerable [slashdot.org]). Not the latter one has according to the company been patched out in the latest software release.
Re: (Score:2)
Cisco does make C-temp NEBS compliant switches, they just charge Cisco prices for it. See the ME-3400.
For I-temp rated stuff I don't know of any off the top of my head, but only because we generally don't deploy active gear in non-environmental enclosures.
That's what you get (Score:2)
For not using Cisco Gear. ...
*ducks*
Re:That's what you get (Score:5, Informative)
For not using Cisco Gear. ...
*ducks*
Cisco gear isn't suitable for most of the environments where this stuff goes. There's a whole world of networking applications that require industrial hardness. No cooling fans or vents, a form factor to fit on DIN rails [wikipedia.org], and even intrinsically safe (i.e., won't make sparks that would ignite flammable gases) characteristics. Oh, also...tolerance to heat (small substations don't have cooled server rooms, for example, and neither do a lot of facilities in the oil/gas world), hardened ability to resist RF and EM interference, being sealed against dust...the list goes on and on.
Cisco and the companies you're used to have largely foregone this market, leaving it to companies like RuggedCom, Hirschmann, GarrettCom, and the like. Cisco does have a line of gear that aims at this market, but they just introduced it, the line is relatively small, and they don't have much traction yet. I work in this field, myself, and I like Cisco gear; I'll put it in wherever I can, when doing a design. But for a lot of cases, you simply *can't* use it, at all.
Re: (Score:2)
Re:That's what you get (Score:4, Informative)
That's not exactly the point. Sure, if a switch is sparking, then it is broken. The point of this gear is that it has been built such that if it breaks, it won't be able to emit dangerous sparks that might do something like cause an explosion in the presence of a buildup of gas or whatever. It still has to be replaced, just like the non-hardened switch, but it is less risky to deploy in an environment where such hazards might be present.
Re:That's what you get (Score:5, Informative)
Re: (Score:2)
and even intrinsically safe (i.e., won't make sparks that would ignite flammable gases) characteristics.
OK I'll bite. How does garrettcom do this? I mean at the ISO level 1 electrical/hardware characteristics? I'm guessing its a huge challenge to do PoE that cannot theoretically spark when you yank a current carrying cable out of a jack. Maybe physical lock holds the ethernet plug in and unlocking the plug powers down the PoE faster than you can yank the cable, or some ridiculous arrangement with constant current source and a SCR crowbar ckt if the voltage rises too high aka is arcing? Or they just don't
Re: (Score:2)
I am not an intrinsic safety expert but my thoughts:
Modern ethernet (from 10base-T forward) is AC coupled and the signal levels are pretty small, so they may well be low enough that they can be exposed externally provided appropriate protection is in place (and NO POE of course). I doubt anyone cares about 10base-2 and 10base-5 at this point.
As for circuits that must not be exposed to the explosive atmosphere I would guess they usually hardwire it through special glands. If it has to go through connectors t
Re: (Score:2)
I tried making a router out of ducks once, it didn't work too well.
Re: (Score:2)
I have never made a router out of ducks but I did once create a switch out of ducks.
Worked great for situations where you wanted high bandwidth and could live with really bad latency.
A guest account? (Score:1)
God forbid I have someone come over for dinner and they're unable to login to my infrastructure switches and peruse the configs!
Re: (Score:3)
God forbid I have someone come over for dinner and they're unable to login to my infrastructure switches and peruse the configs!
In years past I've had repeated experiences with Cisco TAC along the lines of "I donno we've never seen anything like that before, mind if we log in and take a look?"
This is for stuff that takes more than "show tech" or where "show tech" looks so weird they need more data.
Needless to say this was at an ISP with a hardware budget best expressed in scientific notation, not home user with a $79 smart switch.
Its not as unlikely as you'd think.
The funny part is they always reboot and if that doesn't work swap ha
Thanks DHS! (Score:1)
Good to see you provide a useful service for a change.
Now, get out of my pants!
Re: (Score:1)
And we all know how painful that can be.
That settle it. I am so NOT going to the Network Admin Happy Hour this Friday.
Wait a minute... (Score:3)
Re: (Score:2)
Re: (Score:2)
Your congresscritter:
"I don't give a shit about the local nuclear power plant. I do give a shit about the network hardware controlling corporations."
You see, one pays much better than the other.
Explanation, please. (Score:3)
Are we supposed to be rooting for them now?
That depends -- exactly how do you mean that?
:-P
Re: (Score:1)
Wait a minute... Isn't the Department of Homeland Security the one that *wants* backdoor access to everything?
From TFS: "A researcher at Cylance discovered the hidden account and warned the ICS-CERT." If it's out in public, it's of no use to them.
It would be refreshing to have a similar level of objectivity as in this story the next time a backdoor is found in a Chinese switch..
Readme.txt (Score:5, Funny)
This is progress (Score:4, Insightful)
We're making progress on disclosure. A few years ago, companies screamed when somebody found and published information about a hole in their products. Now the disclosures are given wide distribution by the U.S. Government's anti-terrorist agency.
That sort of thing makes a big difference when big purchasing decisions are being made. "Homeland Security says that company's products are insecure" can easily lose a company a big sale.
Factory accounts serve a useful purpose (Score:4, Informative)
However, if they can be abused then we have a problem.
I wouldn't necessarily call it a "factory" account, but the well-known way to reset the LOCAL administrator password in a Microsoft Windows Active Directory Domain Account then using other "offline" means has saved more than a few Network Administrators time and possibly their jobs, BUT if such a technique were known to be exploitable remotely, all hell would break loose.
If a box I'm running has a factory-backdoor, I generally have several requirements from the vendor:
* I know it has a backdoor
* I know what physical access, if any, is required to use the backdoor
* I know how to turn it off, or I know that it can't be turned off and accept the risk. Where physical access is required, locking up the device "turns off" the back-door.
* I know how to make it tamper-evident or I know I can't and accept the risk. If physical access is required, a seal across the door leading to the equipment room provided tamper-evidence.
SCADA default insecurity? (Score:2)