Four vulnerabilities in FL SWITCH industrial switches could have enabled hackers to disconnect critical devices from an industrial network, it has been disclosed.
The flaws were disclosed by Phoenix Contact, a German electrical engineering and automation company, these devices are used for automation at digital substations and in oil and gas, maritime, and other industries.
The vulnerabilities were discovered by Positive Technologies experts Vyacheslav Moskvin, Semyon Sokolov, Evgeny Druzhinin, Ilya Karpov, and Georgy Zaytsev.
According to researchers, the most hazardous of the vulnerabilities is CVE-2018-10730 (CVSS base score 9.1), which enables an attacker to run arbitrary commands on a switch. For example, these commands could include disconnecting all devices from the industrial network, which would compromise site operations.
Also dangerous is CVE-2018-10731 (score 9.0). A buffer overflow could be used to obtain unauthorised access to OS files on the switch and run arbitrary code. Buffer overflows are also involved in vulnerability CVE-2018-10728 (score 8.1), which an attacker could exploit to perform denial of service, run arbitrary code, or disable Web and Telnet services.
In the fourth vulnerability, CVE-2018-10729 (score 5.3), an unauthenticated attacker could read the contents of the switch configuration file.
The vulnerabilities affect FL SWITCH models 3xxx, 4xxx, and 48xxx running firmware versions 1.0–1.33. To stay safe, the vendor strongly recommends updating to firmware version 1.34.
Leigh-Anne Galloway, Cyber Security Resilience lead at Positive Technologies, said that we are seeing an increasing number of advisories regarding new vulnerabilities in industrial network equipment.
“By informing the public of vulnerabilities and providing patches, vendors of network equipment—such as switches and interface convertors—are stepping up to the plate and setting a great example,” she said.
"However, these patches don't always reach installed equipment already in the field. Clients often rely on air gapping even though 82 percent of tested industrial network segments are insufficiently segmented off from corporate IT systems. In these cases, attackers can use ordinary hacking methods, including phishing, to attack the corporate network and then sidestep their way onto mission-critical industrial segments. At that point, they can exploit vulnerabilities in all sorts of industrial equipment, such as unpatched Phoenix Contact switches,” Galloway added.
This is not the first time that vulnerabilities in Phoenix Contact switches have been found. Earlier this year, security flaws that could enable full control of FL SWITCH devices were reported.
Dr Guy Bunker, SVP of Products at Clearswift, told SC Media UK that industrial vendors are aware of the risks, and the stories in the media about state sponsored attacks against infrastructure occur on a regular basis.
“For big suppliers, this unwanted attention drives them to create more secure devices and increase the protection around them, if they are connected to the Internet. For smaller suppliers, there is still a challenge due to the “it won't happen to me”, “why would anyone want to attack us” thinking which is coupled with the fact that retrofitting security is not cheap. There are standards for securing national infrastructure, e.g. NIS Regulations, but there should be something similar for other industrial controls,” he said.
Liviu Arsene, senior e-threat analyst at Bitdefender, told SC Media UK that besides installing the latest security updates, some industrial control systems are best kept in closed networks (e.g. air-gapped), under tight access, and constantly evaluated for potential security breaches.
“Since most of these systems don't support on-device security, it's usually through network segregation, access control, and network security best practices that can prevent or limit the potential fallout of having these system compromised by online threat actors,” he said.
Ofer Maor, director of solutions management at Synopsys, told SC Media UK that Examples such as Stuxnet prove that malicious offensive attacks can be conducted against air gapped networks, as air-gapped does not mean sealed.“Air gapped networks still require input and output of data, most commonly done over media such as USB drives, which can be used to inject malicious Trojans. Nonetheless, air gapping makes it much harder (ergo more expensive) to attack and is good practice when the value of the connected service is lower than the potential risk it introduces,” he said.