New industrial switch flaws could allow hackers to remotely disconnect critical devices

• Security experts found four flaws in FL Switch industrial switches.
• The flaws could allow hackers the ability to disrupt industrial networks.

Security researchers discovered four vulnerabilities in FL Switch industrial switches that could have potentially given hackers the ability to access and disrupt industrial networks.

The flaws were discovered by security researchers at Positive Technologies and disclosed by German electrical engineering and automation firm Phoenix Contact. The flaws affect devices that are used for automation purposes in the oil and gas industry, at digital substations and in the maritime industry, among others.

What opportunities do these flaws offer hackers?

• CVE-2018-10728 - The vulnerability involves buffer overflows, which attackers could exploit to launch denial of service (DoS) attacks, disable Telnet or Web services and even run arbitrary code. The flaw has been classified as high (8.1).
• CVE-2018-10729 - The flaw involves the web interface CGI applications. “Clever manipulation of a web login request can expose the contents of this file through to the web browser,” Phoenix Contact said in a security advisory. The vulnerability has been classified as medium (5.3).
• CVE-2018-10730 - This has been described as the most harmful of all the flaws and could allow hackers the ability to run arbitrary commands on a switch. In other words, hackers could execute commands that could disconnect critical devices from the industrial network. The vulnerability has been classified as critical (9.1).
• CVE-2018-10731 - This flaw is also considered to be hazardous and also involves buffer flow. The vulnerability could allow attackers to access OS files on the switch and run arbitrary code. “If vulnerability is exploited, the attacker may create their own executable files that could further exploit the integrity of the managed FL SWITCH. For example, the attacker may deny switch network access,” Phoenix Contact said.

The discovery of the flaws indicate how an increasing number of vulnerabilities have been spotted in industrial networks, highlighting the lack of security in the industry.

“By informing the public of vulnerabilities and providing patches, vendors of network equipment—such as switches and interface convertors—are stepping up to the plate and setting a great example,” Leigh-Anne Galloway, Cyber Security Resilience lead at Positive Technologies said, SC Magazine reported.

"However, these patches don't always reach installed equipment already in the field. Clients often rely on air gapping even though 82 percent of tested industrial network segments are insufficiently segmented off from corporate IT systems,” Galloway added. “In these cases, attackers can use ordinary hacking methods, including phishing, to attack the corporate network and then sidestep their way onto mission-critical industrial segments. At that point, they can exploit vulnerabilities in all sorts of industrial equipment, such as unpatched Phoenix Contact switches.”

According to Ofer Maor, director of solutions management at Synopsys, attacks like Stuxnet are prime examples of how hackers can launch attacks against air-gapped networks.

“Air gapped networks still require input and output of data, most commonly done over media such as USB drives, which can be used to inject malicious Trojans,” Maor told SC Magazine. “Nonetheless, air gapping makes it much harder (ergo more expensive) to attack and is good practice when the value of the connected service is lower than the potential risk it introduces.”