Cylink’s Justin Clarke has tagged another SCADA maker for default insecurity, discovering a hidden factory account – complete with hard-coded password – in switch management software made by Belden-owned GarrettCom.
As the Department of Homeland Security's ICS-CERT advisory (PDF) notes, the company’s Magnum MNS-6K management application allows an attacker to gain administrative privileges over the application and therefore the SCADA switches it manages.
The advisory states that a patch issued in May removed the vulnerability. However, since the vendor’s patch notice didn’t document the change, it’s possible that customers may not yet have implemented it.
Since GarrettCom claims “75 percent of the top 100 power utilities in North America” among its customers, the patch might be regarded as important.
Clarke seems to have struck a rich seam looking for undocumented insecurities in SCADA kit. In April, he sniffed out a similar default account vulnerability in RuggedCom kit, following it up in August with the discovery that the same vendor had a hard-coded RSA key in its switches.
Cylance’s advisory about the vulnerability says that while the factory account is only intended for use over the local console port. However, while not documenting the process, the company says it’s possible for someone logged in via a guest account (which wouldn’t be restricted to the serial port) could get themselves escalated to the factory account. ®