Industrial switches provided by several vendors are affected by the same vulnerabilities due to the fact that they share firmware made by Taiwan-based industrial networking solutions provider Korenix Technology.
The vulnerabilities were discovered by Austria-based cybersecurity consultancy SEC Consult. The Atos-owned company has been trying to get the security holes fixed since mid-April 2020, but it took nearly one year for Korenix to release patches.
The firmware developed by Korenix for its JetNet industrial switches is also used by Westermo for PMI-110-F2G and Pepperl+Fuchs for Comtrol RocketLinx industrial switches. Both Korenix and Westermo are owned by Beijer Electronics Group. SEC Consult says devices made by these companies share a “partially similar firmware base” and they are affected by the same vulnerabilities.
SEC Consult discovered five types of vulnerabilities that have been assigned critical and high severity ratings. These include unauthenticated device administration, backdoor account, cross-site request forgery (CSRF), authenticated command injection, and TFTP file read/write issues.
An attacker with network access to the targeted device can make unauthorized changes to its configuration, cause it to enter a DoS condition, and obtain sensitive information. The vulnerabilities can be exploited to take complete control of a device.
Impacted devices are used in the heavy industry, transportation, automation, power and energy, surveillance, and other sectors. According to Thomas Weber, the SEC Consult researcher who discovered the vulnerabilities, the switches are used in key positions within the network and an attacker could exploit the vulnerabilities to cut off the network connection to attached systems.
Weber said he only saw a handful of impacted devices being exposed to the internet. The CSRF flaws can in theory be used to launch attacks directly from the internet, but the researcher pointed out that CSRF protections implemented in web browsers can make exploitation more difficult.
Pepperl+Fuchs did release some patches and workarounds last year after being notified about the vulnerabilities, but the company’s response was limited due to the fact that the flaws existed in the Korenix firmware.
SEC Consult’s initial attempts to get Korenix to patch the vulnerabilities failed, until late November 2020, when the company had been preparing to make its findings public. Beijer representatives got in touch with SEC Consult after being contacted by SecurityWeek for comment, and the cybersecurity firm decided to postpone its advisory to give the vendor more time to release patches. Communications improved significantly after Beijer took over the disclosure process, SEC Consult said.
In addition to releasing firmware updates that patch the vulnerabilities, Korenix has shared some recommendations for preventing potential attacks, including restricting access to devices, implementing security best practices, and configuring firewalls to protect the switches against attacks originating outside the network.
Beijer Electronics told SecurityWeek that it has worked with SEC Consult regarding the timing of the advisory being made public, but the company is unhappy with the fact that the advisory contains proof-of-concept (PoC) code and other information that could be leveraged in attacks against customers’ systems.