Westermo Updates Switch Vulnerability

Thursday, January 28, 2016 @ 03:01 PM gHale

Westermo created an update for a hard-coded certificate vulnerability in its industrial switches that allows the web interface certificate to change, according to a report on ICS-CERT.

Independent researcher, Neil Smith, who identified the vulnerability, tested the update to validate it resolves the vulnerability.

Rockwell Fixes PLC Buffer Overflow
MICROSYS Fixes Memory Corruption Hole
Hospira Buffer Overflow Vulnerability
Hole in CAREL’s Unsupported Line

The vulnerability was remotely exploitable after a successful man-in-the-middle attack.

WeOS versions older than Version 4.19.0 suffer from the issue.

This software also sees use within the following Westermo Product Lines:
• Falcon
• Lynx
• Wolverine
• Corazon
• Viper
• Redfox series

Certificates provide a key used by the switch software to encrypt and decrypt communications. The detrimental impact of the hard coded certificate is the key cannot end up changed. Once the key ends up compromised, a malicious party has access to the decrypted network traffic from the device. A malicious party can then read and modify traffic intercepted and decrypted.

Westermo is a Sweden-based company that maintains offices in several countries around the world, including the U.S., Austria, Belgium, China, France, Germany, Singapore, Switzerland, Taiwan, and the UK.

The affected products, industrial switches, are networking devices that route and provide connectivity to SCADA systems. The switches end up deployed across several sectors including commercial facilities, critical manufacturing, energy, and water and wastewater systems.

The SSL keys used by the switches to provide secure communications are hard coded. Malicious parties could obtain the key, stage a Man-in-the-Middle attack posing to be a WeOS device, and then obtain credentials entered by the end-user. With those credentials, the malicious party would have authenticated access to that device.

CVE-2015-7923 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.0.

No known public exploits specifically target this vulnerability. An attacker with a low skill would be able to exploit this vulnerability after first staging a successful Man-in-the-Middle attack.

Westermo is working on an update to automate the changing of the key. In the meanwhile, users should follow the procedure below to mitigate the vulnerability.

Procedure to replace the default web certificate:
1. Devices with WeOS versions older than 4.15.2 should upgrade to the latest release in order to get the capability to replace the default web certificate.
2. Upload a custom certificate, preferably from an established internal or external PKI. See Section 7.1.8 in the WeOS Management Guide.
3. Login to the CLI (console or SSH).
4. Issue the following commands (where

Users should avoid self-signed certificates because they provide a similar attack vector because the keys encrypting traffic do not end up established until after the first access of the device.

Web access can either be disabled completely or allowed only from the most secure network as it reduces the exposure of this vulnerability to that network. The attacker must gain access to the more secure network in order to stage an attack.