The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) owned by the US Department of Homeland Security (DHS) has issued an advisory to warn customers of ORing Industrial Networking devices of a serious vulnerability that exposes their organizations to cyberattacks.
According to ICS-CERT, the security hole was identified by independent security researcher Reid Wightman of Digital Bond. He discovered hard-coded passwords for ORing Industrial DIN-Rail Device Server 5042/5042+ systems.
The main problem is that the expert published his findings without contacting the product’s Taiwan-based vendor or the CERT. Even more worrying is the fact that the agency hasn’t been able to coordinate the vulnerability with ORing Industrial Networking and there aren’t any workarounds or patches for the flaw.
A remote attacker who knows the hard-coded credentials can exploit the affected product by logging into the device with administrative privileges. This gives him permission to change the system’s settings, and even read and write files.
“An attacker can log into the operating system of the device using an SSH connection with the root credentials to gain administrative access. Once the attacker gains access to the device, the file system and settings can be accessed, which could result in a loss of availability, integrity and confidentiality,” ICS-CERT reports
So who exactly is impacted by this problem?
The products susceptible to such attacks are industrial serial device servers and they’re used for SCADA systems. Judging by the manufacturer’s website, they’re deployed in sectors such as gas, oil, manufacturing, electric utilities and transportation, mainly from the US, Europe and Asia.
Since there’s no patch in sight and there isn’t a known workaround, ICS-CERT advises the users of ORing Industrial DIN-Rail Device Server 5042/5042+ systems to minimize their network exposure and ensure that they're not directly connected to the Internet. The use of firewalls and Virtual Private Networks is also highly recommended.Update.
ORing Networking has addressed the issue in December 2012. The firmware update is available here
. Customers are advised to apply the update as soon as possible.