GarrettCom Plugs Magnum Holes

Tuesday, June 16, 2015 @ 03:06 PM gHale


GarrettCom created new firmware versions to mitigate authentication, denial of service, and cross-site scripting vulnerabilities in its Magnum 6k and Magnum 10k product lines, according to a report on ICS-CERT.

Ashish Kamble of Qualys Security, who along with Eireann Leverett discovered the holes, tested the newest version to validate that it resolves the remotely exploitable vulnerabilities.

RELATED STORIES
Hospira Plum A+, Symbiq Vulnerabilities
Healthcare Control System Fix Update
RLE HMI Vulnerability
N-Tron Encryption Key Vulnerability

The following GarrettCom products suffer from the issue:
• Magnum 6K product line, all versions prior to 4.5.6, and
• Magnum 10K product line, all versions prior to 4.5.6.

An attacker who exploits these vulnerabilities may be able to remotely execute arbitrary code on the target device or cause the device to reboot.

GarrettCom is a U.S.-based company that maintains offices also in Europe.

The Magnum MNS-6K Management Software provides device management for the Magnum 6K line of managed Ethernet switches. According to GarrettCom, the 6K line of switches deploy across several sectors including critical manufacturing, defense industrial base, energy, transportation systems, and water and wastewater systems. GarrettCom said these products see use primarily in the United States with a small percentage in Europe and Asia, though they are available worldwide.

Multiple cross-site scripting (XSS) vulnerabilities exist in the web server present on the device, which can end up exploited by an unauthenticated attacker.

CVE-2015-3942 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 5.0.

The firmware contains hard-coded RSA private keys and certificate files, used by the server for SSH connections and HTTPS connections.

CVE-2015-3960 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.3.

In addition, the firmware contains hard-coded password for a serial console connected high privileged user.

CVE-2015-3959 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.2.

By issuing a certain form of URL against the device’s web server, memory corruption can occur which results in a reboot of the device.

CVE-2015-3961 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 3.5.

No known public exploits specifically target these vulnerabilities.

The latest versions of GarrettCom Magnum 6K and Magnum 10K software fix these vulnerabilities. Version 4.5.5 released December, and Version 4.5.6 released January. Users can click here to download the latest software version and release notes.