A new CVE has been announced about a hard-coded SSL certificate vulnerability. CVE-2015-7923 is about hard-coded certificate may cause Man-In-the-Middle Attack. Independent researcher Neil Smith has identified a hard-coded certificate vulnerability in Westermo’s industrial switches. The company has developed an update to allow the web interface certificate to be changed. Neil Smith has tested the update to validate that it resolves the vulnerability.

Westermo is a Sweden-based company, working on industrial communication systems, maintains offices in several countries around the world, including the US, Austria, Belgium, China, France, Germany, Singapore, Switzerland, Taiwan, and the UK.

The following Westermo Products are affected:

  • WeOS versions older than Version 4.19.0 (indication, subject to change).

This software is used within the following Westermo Product Lines:

  • Falcon,
  • Lynx,
  • Wolverine,
  • Corazon,
  • Viper, and
  • Redfox series.

Certificates provide a key used by the switch software to encrypt and decrypt communications. The detrimental impact of the certificate being hard coded is that the key cannot be changed. Once the key is compromised, a malicious party has access to the decrypted network traffic from the device. A malicious party can then read and modify traffic that is intercepted and decrypted.

Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.

The affected products, industrial switches, are networking devices that route and provide connectivity to SCADA systems. According to Westermo, the switches are deployed across several sectors including Commercial Facilities, Critical Manufacturing, Energy, Water and Wastewater Systems, and others. These products are used worldwide.

The SSL keys used by the switches to provide secure communications are hard coded. Malicious parties could obtain the key, stage a Man-in-the-Middle attack posing to be a WeOS device, and then obtain credentials entered by the end-user. With those credentials, the malicious party would have authenticated access to that device.

CVE-2015-7923 has been assigned to this vulnerability. A CVSS v3 base score of 9.0 and a temporal score of 8.2 have been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:T/RC:C).

Westermo is working on an update to automate the changing of the key, which will be published on its web site as soon as it is ready.