Clarke tags new RuggedCom vuln
Hard-coded RSA key provides new backdoor
Justin Clark, who back in April pinged industrial control vendor RuggedCom over a backdoor that existed in control systems based on its ROS operating system, has turned up a second vulnerability in the form of a hard-coded RSA key.
The original backdoor was a simple undocumented account designed to provide admin access in case of a lost management password. When obscurity failed, the company issued a patch disabling the backdoor.
The new vulnerability, according to the ICS-CERT advisory (PDF), is so serious that systems should be isolated from the Internet. Since the RSA key for the equipment is hard-coded in the ROS, key recovery from one device allows an attacker to decrypt SSL traffic to and from RuggedCom devices.
The advisory states that operators of the company's kit should:
Minimize network exposure for all control system devices. Control system devices should not directly face the Internet; - Locate control system networks and devices behind firewalls, and isolate them from the business network; - If remote access is required, employ secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.”
RuggedCom has yet to comment on the issue. ®
Honestly an undocumented account in this day and age? They must be keen on committees to decide features over @rugged as it certainly sounds like a committee decision. As for the hard-coded RSA key........
Fact is you should not be losing the info that allows you to manage such expensive high-reliance devices, store it securely ffs. Best working practise anyone? .....Guess not especially when you produce smart grid management devices.
Imagine that meeting when the idea got forced on the programmers
Manager1: Hey 5% of our customers have needed help regaining control of our devices over the last financial year. It's costing us to much to provide support to them.
Manager2: How about a super uber secret backdoor to allow them to regain control without having to contact us for support? Thus lowering our support costs even though our parent company *cough* prides it's self on being a service orientated provider of many technologies.
Manager3: Is that unsafe? An attackvectorthingymajig?
manager2: Ok.....(bleet bleet)
Manager3: Ok.....(bleet bleet)
Manager1: Done for the day gents. I'm off for some steak and strippers on the company coin!