A vulnerable switch can mean the compromise of the entire industrial network. If ICS components are parts of the body, you can think of
network equipment as the arteries that connect them all. So disruption
of network interactions could degrade or even stop ICS operations
entirely, Paolo Emiliani, Industry and SCADA Research Analyst at
Positive Technologies explained.In Moxa series EDS-405A, EDS-408A, and
EDS-510A (firmware versions 3.8 and earlier), the Positive Technologies
experts discovered five vulnerabilities, three of which are highly
dangerous. For instance, an attacker could recover the password from a
cookie intercepted over the network or by using Cross-Site Scripting
(XSS), extract sensitive information, or brute-force credentials using
the proprietary configuration protocol to obtain control over the switch
and possibly the entire industrial network.
IKS-G6824A switches (firmware versions 4.5 and earlier) contained seven vulnerabilities. The most dangerous one involved a buffer overflow
in the web interface that could be performed without logging in.
Exploitation of the vulnerability causes denial of service and
potentially remote code execution.In the hands of attackers, the other
vulnerabilities could cause a permanent denial of service on the switch,
reading of device memory, ability to perform various actions as a
legitimate user in the device web interface, and more.
Positive Technologies experts advise disabling all unneeded equipment features (such as the management web interface) immediately
after setup. If features cannot be disabled, companies should take
preventive action to detect malicious activity with the help of an ICS
monitoring and incident reaction solution such as PT Industrial Security
Incident Manager (PT ISIM).
