Network kit biz Phoenix takes heat as flaws may leave industrial control system security in ashes
Oil, gas, maritime systems affected by latest bug findings
Companies running a popular brand of industrial Ethernet switch are being advised to update their firmware ASAP following a series of bug disclosures.
Security house Positive Technologies took credit today for the discovery of six CVE-listed security vulnerabilities in the Phoenix Contact FL Switch 3xxx, 4xxx, and 48xx industrial control switches. The flaws are addressed in firmware versions 1.35 or newer.
Among the now-patched flaws were several Positive described as "critical" security risks that could be exploited to knock vulnerable devices offline or pull off man-in-the-middle attacks.
"Successful exploitation of these weaknesses has the potential to cause disruption, or even total interruption, of ICS operations," Positive Technologies SCADA research analyst Paolo Emiliani said in the company's write-up of the issue.
"An attacker can intercept user credentials and then re-configure a switch to disable its ports, resulting in failure of network communication between ICS components."
These are particularly serious bugs given where many of the vulnerable network switches are used. Positive says the Contact FL line is particularly popular for oil and energy facilities, as well as maritime systems, where a controller breakdown would be a major headache.
All of the vulnerabilities were discovered and privately reported by researchers Evgeny Druzhinin, Ilya Karpov, and Georgy Zaytsev.
Two of the more series flaws were CVE-2018-13993, a cross-site request forgery that would let an attacker use the web interface to control a vulnerable switch and send arbitrary commands, and CVE-2018-13990, a brute force vulnerability caused by the switch not having a timeout period between login attempts.
Yes, you can remotely hack factory, building site cranes. Wait, what?READ MORE
CVE-2018-13992 is a possible password theft vulnerability caused by the switch transmitting login information over its web interface as plain text, while CVE-2018-13991 is a man-in-the-middle flaw that could allow an attacker to harvest encryption keys.
Two other bugs, CVE-2018-13994 and CVE-2017-3735 are denial of service vulnerabilities caused by a buffer error and the web interface not properly limiting the number of possible connections.
All of the bugs can be patched by updating the switch's firmware to the latest build (in this case 1.35 or later). Those downloads can be found on the managed switch products page on Phoenix's website. ®