Attackers can interfere with interaction of ICS components
German vendor Hirschmann, a Belden company, has published information about fixes for five vulnerabilities in network switches used in energy, chemical manufacturing, transportation, and other industries. The vulnerabilities were discovered by Positive Technologies experts Ilya Karpov, Evgeny Druzhinin, Mikhail Tsvetkov, and Damir Zaynullin.
The described issues affect Hirschmann (Belden) RS, RSR, RSB, MACH100, MACH1000, MACH4000, MS, and OCTOPUS Classic switches. A session fixation vulnerability in the switch web interface enables an attacker to hijack a web session (CVE-2018-5465, CVSS v. 3.0 score 8.8). The second vulnerability (CVE-2018-5467, score 6.5) allows an attacker to impersonate a legitimate user by taking advantage of disclosure of sensitive information via special GET requests in the web interface and exploitation of a hard-coded username.
The third vulnerability (CVE-2018-5471, score 5.9) involves insecure transfer of sensitive information in the web interface. As a result, an attacker could obtain this data in a man-in-the-middle attack.
In the fourth vulnerability, use of weak encryption enables a man-in-the-middle attacker to obtain sensitive information (CVE-2018-5461, score 6.5). And in the vulnerability with the highest risk score (CVE-2018-5469, score 9.8), switches fail to properly restrict the number of login attempts in the web interface, due to which an attacker could bruteforce passwords.
Positive Technologies experts have noted a sizable increase in the number of vulnerabilities in industrial network equipment, including switches, interface converters, and gateways. In addition, such equipment is increasingly accessible from the Internet, judging by the large number of IP addresses found using public search engines. These protection gaps create opportunities for attackers and can lead to serious consequences.