System admins warned of security issues with GE Ethernet switches
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
January 15, 2015
General Electric is the latest industrial equipment maker to warn system admins to patch their devices to protect against hard-coded credentials in various Ethernet switches.
IO Active disclosed the security vulnerability to ICS-CERT, which issued an advisory.
The security vulnerability occurs in various GE Multilink managed Ethernet switches.
The ones that are affected are the ML-800, 1200, 1600 and 2400 versions 4.2.1 and older, and the ML-810, 3000 and 3100 versions older than version 5.2.0.
In those switches, the RSA key used to encrypt SSL traffic is hard-coded in the firmware, which needs to be updated. The company has issued patch instructions on its website.
It's important to note that ICS-CERT says the skill level needed to remotely exploit the vulnerability is fairly low.
After patching a system, administrators should generate new key pairs for their networks, and as GE notes, “it is recommended that the user perform the key exchange over a serial connection to prevent a third party from capturing the new key”.
And there's more-- the admin Web server for the switches is also subject to a crafted-packet denial-of-service attacks.
The only repair for this is to disable the server and manage the switch through its command line interface.
Aditionally, GE notes that IO Active's Eireann Leverett, who discovered and disclosed these security vulnerabilities, has also found a third attack vector which GE is now investigating as well.
Source: General Electric.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!