GE is the latest industrial kit vendor to send users patching to protect against hard-coded credentials in Ethernet switches.
The vulnerability occurs in various GE Multilink managed Ethernet switches: the ML800, 1200, 1600 and 2400 versions 4.2.1 and older; and the ML810, 3000 and 3100 versions older than version 5.2.0.
In these switches, the RSA key used to encrypt SSL traffic is hard-coded in the firmware, which needs to be updated (the company has issued patch instructions here). ICS-CERT reckons the skill level needed to remotely exploit the vulnerability is low.
After patching, admins should generate new key pairs for their networks, and as GE notes, “it is recommended that the user perform the key exchange over a serial connection to prevent a third party from capturing the new key”.
There's more: the admin Web server for the switches is also subject to a crafted-packet denial-of-service attack. The only fix for this is to disable the server and manage the switch through its command line interface.
GE notes that IOActive's Eireann Leverett, who discovered and disclosed the vulnerabilities, has found a third attack vector which the company is now investigating. ®