Innominate MGuard Weak HTTPS and SSH Keys

Low RiskICS-CERT ICSA-12-167-01Mar 19, 2012

Summary

Innominate mGuard security appliances use weak cryptographic keys for HTTPS and SSH. The devices ship with insufficiently random or predictable key material, allowing attackers who obtain the keys to impersonate the device or intercept encrypted communications. This affects multiple mGuard product lines including Blade, Delta, EAGLE, PCI, Industrial RS, and Smart variants.

What this means

What could happen

An attacker could impersonate an mGuard device or decrypt HTTPS/SSH traffic by using weak keys, potentially compromising management communications and allowing unauthorized access to the appliance or networks it protects.

Who's at risk

Manufacturing facilities and critical infrastructure using Innominate mGuard industrial security appliances, specifically operators of mGuard Blade, Delta, EAGLE, PCI, Industrial RS, and Smart variants used for network protection and industrial process control monitoring.

How it could be exploited

An attacker would need to obtain or derive the weak HTTPS/SSH private keys used by the mGuard device. Once obtained, the attacker could perform man-in-the-middle attacks against connections to the device or use the keys to authenticate as the mGuard appliance itself. This requires the attacker to have access to or be able to intercept traffic to the affected appliance.

Prerequisites

Ability to obtain the weak cryptographic keys from the device or intercept and potentially crack them
Network access to the mGuard device or the communications it handles

no patch availableweak cryptographic implementationaffects security appliances

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (6)

6 EOL

ProductAffected VersionsFix Status

mGuard PCI: HW-102020|HW-102050|BD-111010|BD-111020HW-102020|HW-102050|BD-111010|BD-111020No fix (EOL)

mGuard Industrial RS: HW-105000|BD-501000|BD-501010|BD-501020HW-105000|BD-501000|BD-501010|BD-501020No fix (EOL)

mGuard Blade: HW-104020|HW-104050HW-104020|HW-104050No fix (EOL)

mGuard Delta: HW-103050|BD-201000HW-103050|BD-201000No fix (EOL)

EAGLE mGuard: HW-201000|BD-301010HW-201000|BD-301010No fix (EOL)

mGuard Smart: HW-101020|HW-101050|BD-101010|BD-101020HW-101020|HW-101050|BD-101010|BD-101020No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDContact Innominate to determine if a key replacement service or updated firmware is available for your specific mGuard model

HARDENINGRestrict network access to mGuard management interfaces (HTTPS, SSH) using firewall rules to allow only authorized engineering workstations

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: mGuard PCI: HW-102020|HW-102050|BD-111010|BD-111020, mGuard Industrial RS: HW-105000|BD-501000|BD-501010|BD-501020, mGuard Blade: HW-104020|HW-104050, mGuard Delta: HW-103050|BD-201000, EAGLE mGuard: HW-201000|BD-301010, mGuard Smart: HW-101020|HW-101050|BD-101010|BD-101020. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate mGuard devices from untrusted networks and limit lateral movement if a device is compromised

HARDENINGMonitor mGuard device logs and management access for suspicious authentication or connection attempts

CVEs (1)

CVE-2012-3006

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a17f3a3d-8b8f-4d2d-9a6d-6d1d1d222661