In-brief: A hard-coded password in many versions of GE’s MultiLink industrial networking switches could open the door to hackers, the Department of Homeland Security ICS-CERT warned.
The Department of Homeland Security is warning customers who use a common piece of industrial networking equipment made by GE that it contains a hard-coded administrative account that would give an attacker who knew of the account the ability to remotely log in to- and control the device.
DHS’s Industrial Control System CERT (ICS-CERT) issued a warning on Thursday concerning a variety of models of GE’s Multilink series switches, saying that the devices have a hard-coded credential vulnerability that “could allow unauthorized administrative access to device configuration options available through the web interface.”
GE identified the issue and has created an update to the software (“firmware”) that runs the Multilink devices that removes the default account. The vulnerability identifier CVE-2016-2310b has been assigned to the issue, as well.
MultiLink Ethernet switches come in a variety of models and are designed for “the unique needs of the protection and control industry.” Information on GE’s web site said the devices are suitable for use in utility substations and harsh industrial environments. GE said the switches are deployed in industries like “critical manufacturing, energy and water and wastewater systems” and are used worldwide, the ICS-CERT alert said.
DHS said that there are no known attempts to exploit the vulnerability (but who knows, really) and that impact to organizations depends on “many factors that are unique to each organization.” Organizations that have the MultiLink devices deployed are advised to “evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation” and take steps to mitigate it.
Customers are encouraged to install firmware version 5.5.0 on the MultiLink 800, 1200, 1600, and 2400 devices and firmware version 5.5.0k on the MultiLink 810, 3000, and 3100 devices.
Hard-coded passwords and other back door accounts distressingly common in the industrial control system space and in other critical infrastructure sectors. The agency issued a similar warning in January on industrial switches made by the firm Westermo. In 2013, ICS-CERT issued a general warning about the presence of such accounts on widely used medical devices.
In August, 2015, US CERT warned of firmware running on DSL routers sold under the ZTE, ASUS, DIGICOM, Observa Telecom and Philippine Long Distance Telephone (PLDT) brands that contains a hard-coded password allowing an attacker who can remotely connect to the devices to log in with administrator credentials.