|2017-02-23||Other||Red Lion Controls||Mark Cross of RIoT Solutions identified these vulnerabilities.
# Red Lion Controls Sixnet-Managed Industrial Switches, AutomationDirect STRIDE-Managed Ethernet Switches Vulnerability
### VULNERABLE VENDOR
Red Lion Controls
### VULNERABLE PRODUCT
Sixnet-Managed Industrial Switches and STRIDE-Managed Ethernet Switches
Mark Cross of RIoT Solutions identified these vulnerabilities.
### AFFECTED PRODUCTS
The following Red Lion Controls Sixnet-Managed Industrial Switches are affected:
Sixnet-Managed Industrial Switches running firmware Version 5.0.196 and prior.
The following AutomationDirect STRIDE-Managed Ethernet Switch models, which are manufactured by Red Lion Controls, are affected:
Stride-Managed Ethernet Switches running firmware Version 5.0.190 and prior.
Successful exploitation of the hard-coded cryptographic key vulnerabilities could result in loss of data confidentiality, integrity, and availability.
### VULNERABILITY OVERVIEW
USE OF HARD-CODED CRYPTOGRAPHIC KEY CWE-321
A hard-coded cryptographic key vulnerability was identified.
Vulnerable versions of Stride-Managed Ethernet switches and Sixnet-Managed Industrial switches use hard-coded HTTP SSL/SSH keys for secure communication.
Because these keys cannot be regenerated by users, all products use the same key.
The attacker could disrupt communication or compromise the system.
CVE-2016-9335 has been assigned to this vulnerability.
A CVSS v3 base score of 10 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Critical Infrastructure Sector: Critical Manufacturing
Countries/Areas Deployed: Deployed worldwide
Company Headquarters Location: United States
Red Lion Controls has released SLX firmware Version 5.3.174 to address the hard-coded cryptographic keys issue.
Red Lion Controls recommends updating to SLX firmware Version 5.3.174, found here:
Automation Direct recommends updating to Stride Managed Ethernet firmware Version 5.3.174, found here: