Last summer during a pentest for a client we came across industrial switches made by Hirschmann: a Belden Brand, (which) provides the industry with leading Ethernet networking technology and sets the industrial networking standards for quality, reliability and service. (Source: http://www.belden.com/aboutbelden/brands/Hirschmann.cfm ) and found a few unknown vulnerabilities (0day) affecting version 2.0.00 and prior versions. We’ve choose to “responsible disclose” them, directly to Hirschmann and the ICS-CERT (Industrial Control Systems Cyber Emergency Response Team). Since then a new firmware has been released (2.0.01) to patch one of them (the most critical). ICS-CERT has released an advisory and a CVE (CVE-2017-5163) has been assigned.
Many thanks to Hirschmann and the ICS-CERT teams.
(…) After an administrator downloads a configuration file, a copy of the configuration file, which includes hashes of user passwords, is saved to a location that is accessible without authentication. (…)
As simple as:
Belden has released a new software version, Version 02.0.01, to address the identified vulnerability, which is available at the following location:
In the wild
As this is an industrial switch it should not be connected directly to Internet and searchs on Google or Shodan shouldn’t give any results.
But if needed here is the http headers:
HTTP/1.1 200 OK Server: libCWebUI Accept-Ranges: bytes Content-Length: 5823 Content-Type: text/html Connection: close (...) GECKO 4TX</title>
2016/07/14 First contact by mail
2016/07/14 Full report sent by mail to Hirschmann –> they start investigation
2016/09/07 Hirschmann phone call -> they work on a fix
2016/10/11 Hirschmann mail: “The new firmware release candidate passed internal tests and we are going to finalize it soon and publish the new release together with a Security Bulletin mentioning your efforts as key to the whole release.”
2016/10/11 Hirschmann mail with a link to the RC of their new firmware and a “Security Bulletin” which says: “The user authentication for downloading the configuration file can be bypassed after a user with administrator privileges downloads the configuration file.”
2016/10/12 Answer to Hirschmann to ask if the other vulnerabilities have been taken into account
2016/11/18 Answer of Hirschmann : “We are expecting the Final version of the Firmware in the next couple of days, after which we will follow a quick release process. We will release this version together with the security announcement mentioning your discovery and assistance. The additional issues you reported will be assesed again and we will discuss when or if they will be included.”
2016/11/24 Full report sent to ICS-CERT
2016/12/14 New firmware released (2.0.1)
2016/12/19 Belden advisory released
2017/01/26 ICS-CERT advisory released