Got a GE industrial Ethernet switch? Get patching

Hard-coded RSA keys found in firmware


GE is the latest industrial kit vendor to send users patching to protect against hard-coded credentials in Ethernet switches.

IOActive disclosed the vulnerability to ICS-CERT, which issued this advisory (details here CVE-2014-5418 and here CVE-2014-5419).

The vulnerability occurs in various GE Multilink managed Ethernet switches: the ML800, 1200, 1600 and 2400 versions 4.2.1 and older; and the ML810, 3000 and 3100 versions older than version 5.2.0.

In these switches, the RSA key used to encrypt SSL traffic is hard-coded in the firmware, which needs to be updated (the company has issued patch instructions here). ICS-CERT reckons the skill level needed to remotely exploit the vulnerability is low.

After patching, admins should generate new key pairs for their networks, and as GE notes, “it is recommended that the user perform the key exchange over a serial connection to prevent a third party from capturing the new key”.

There's more: the admin Web server for the switches is also subject to a crafted-packet denial-of-service attack. The only fix for this is to disable the server and manage the switch through its command line interface.

GE notes that IOActive's Eireann Leverett, who discovered and disclosed the vulnerabilities, has found a third attack vector which the company is now investigating. ®


Keep Reading

How good are you at scoring security vulnerabilities, really? Boffins seek infosec pros to take rating skill survey

Real-world CVSS figures are a little variable, or so these folks reckon

Open Source Vulnerabilities database: Nice idea but too many Google-shaped hoops to jump through at present

Hands On Google Cloud Platform account required, API key comes with Ts&Cs

CERT/CC: 'Sensational' bug names spark fear, hype – so we'll give flaws our own labels... like Suggestive Bunny

Officials go with randomly selected words with unintentionally hilarious results. Filthy Python, anyone?

Just 2.6% of 2019's 18,000 tracked vulnerabilities were actively exploited in the wild

So says Kenna Security in a refreshing piece of counter-FUD analysis

Now-patched Ubuntu desktop vulnerability allows privilege escalation

'Unusual for a vulnerability on a modern operating system to be this easy to exploit,' says bughunter

Fake Zoom alerts and dodgy medical freebies among COVID-cracks detected by Taiwan's CERT

Phishers claimed to be from 'National Health Commission', which exists in mainland China but not Taiwan

It's not easy being green: EV HTTPS cert seller Sectigo questions Chrome's logic in burying EV HTTPS cert info

Seeing as Google thinks no one cares about location records, we'll remove street addresses from all our sites, says compliance chief

US-CERT lists the 10 most-exploited security bugs and, yeah, it's mostly Microsoft holes people forgot to patch

Update, update, update. Plus: Flash, Struts, Drupal also make appearances

Biting the hand that feeds IT © 1998–2021