SCADA Vulnerabilities & Exposures (SVE)

CRITIFENCE® SCADA Vulnerabilities and Exposures Database (SVE)

[SVE-781658110] Red Lion Controls Sixnet-Managed Industrial Switches, AutomationDirect STRIDE-Managed Ethernet Switches Vulnerability

Date Type Platform Author EDB-ID CVE-ID OSVDB-ID Download App SIS Signature
2017-02-23OtherRed Lion ControlsMark Cross of RIoT Solutions identified these vulnerabilities. N/ACVE-2016-9335 N/AN/AN/A

Source

						
							
								
#
# Red Lion Controls Sixnet-Managed Industrial Switches, AutomationDirect STRIDE-Managed Ethernet Switches Vulnerability
#


### VULNERABLE VENDOR
Red Lion Controls


### VULNERABLE PRODUCT
Sixnet-Managed Industrial Switches and STRIDE-Managed Ethernet Switches



### RESEARCHER
Mark Cross of RIoT Solutions identified these vulnerabilities.



### AFFECTED PRODUCTS

The following Red Lion Controls Sixnet-Managed Industrial Switches are affected:

Sixnet-Managed Industrial Switches running firmware Version 5.0.196 and prior.
The following AutomationDirect STRIDE-Managed Ethernet Switch models, which are manufactured by Red Lion Controls, are affected:

Stride-Managed Ethernet Switches running firmware Version 5.0.190 and prior.



### IMPACT

Successful exploitation of the hard-coded cryptographic key vulnerabilities could result in loss of data confidentiality, integrity, and availability.



### VULNERABILITY OVERVIEW

USE OF HARD-CODED CRYPTOGRAPHIC KEY CWE-321
A hard-coded cryptographic key vulnerability was identified.
Vulnerable versions of Stride-Managed Ethernet switches and Sixnet-Managed Industrial switches use hard-coded HTTP SSL/SSH keys for secure communication.
Because these keys cannot be regenerated by users, all products use the same key.
The attacker could disrupt communication or compromise the system.
CVE-2016-9335 has been assigned to this vulnerability.
A CVSS v3 base score of 10 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)





### BACKGROUND

Critical Infrastructure Sector: Critical Manufacturing
Countries/Areas Deployed: Deployed worldwide
Company Headquarters Location: United States




### MITIGATION

Red Lion Controls has released SLX firmware Version 5.3.174 to address the hard-coded cryptographic keys issue.

Red Lion Controls recommends updating to SLX firmware Version 5.3.174, found here:

http://www.redlion.net/ethernet-switches-software-firmware


Automation Direct recommends updating to Stride Managed Ethernet firmware Version 5.3.174, found here:

http://support.automationdirect.com/firmware/binaries.html