Korenix has patched multiple vulnerabilities in a range of devices used across critical infrastructure industries.
Korenix Technologies, a subsidiary of Sweden-based Beijer Electronics, manufactures wired and wireless products for industry verticals including the energy, automation, and transport sectors.
In a blog post, researchers from SEC Consult revealed how a number of critical vulnerabilities are present in various products made and marketed by Korenix, and also rebadged and sold by Westermo and Pepperl+Fulchs.
The industrial control devices sold by all three companies share a “partially similar firmware base” which can be managed via a Windows client program called Korenix View, or Jet View.
The program, which enables communication to and from devices in plaintext, was vulnerable to an unauthenticated device administration bug (CVE-2020-12500), allowing potential attackers unauthorized access.
The researchers explained that the older version of this management program, called cmd-server2, can be controlled without a password.
“Analyzing the newer version, called jetviewd, indicates that some kind of password can be set. But this is not part of the default configuration,” the blog post reads.
An unauthenticated attacker could access the devices and potentially carry out miscreant activity such as modifying networking settings, triggering download and upload of configuration files, and initating uploads of new firmware and bootloader files.
Multiple flaws
A second issue (CVE-2020-12501) present in the devices was multiple backdoor accounts that were found during security checks of firmware files.
Researchers also found that the web interface of products was vulnerable to cross-site request forgery (CVE-2020-12502), allowing potential attackers to modify device settings.
Semi-blind command injection vulnerabilities (CVE-2020-12503) were found on the device series JetNet and the Westermo PMI-110-F2G Managed PoE Gigabit Switch, the blog post details.
Due to the lack of CSRF protection, an attacker can execute arbitrary commands on the device by luring the victim to click on a malicious link.
Finally, the affected industrial control devices were vulnerable to Arbitrary Unauthenticated Actions (CVE-2020-12504) in multiple devices due to the abuse of their trivial file transfer protocol (TFTP) servers.
This TFTP server can be abused to read all files from the system as the software runs as root, resulting in a password hash exposure via the file /etc/passwd.
Researchers did note that write access is restricted to certain files including configuration, certificates, boot loader, and firmware upgrades.
These various vulnerabilities were recently patched by Korenix. An update to the latest firmware can be found on its website.
SEC Consult also noted that Korenix made a number of more general security best practice recommendations including restricting device network access to only trusted parties/devices/network, separating devices from other networks by using firewall system with a minimal number of exposed ports (i.e. network segmentation), and scanning portable computers and removable storage media for viruses before they are connected to those devices.
Source: https://portswigger.net/daily-swig/korenix-patches-multiple-critical-vulnerabilities-in-networking-devices