Hirschmann Automation and Control GmbH Classic Platform Switches

Monitor7.5ICS-CERT ICSA-18-065-01Mar 6, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

Hirschmann Automation and Control GmbH Classic Platform Switches contain multiple cryptographic and authentication weaknesses (CWE-326, CWE-319, CWE-384, CWE-307, CWE-598). These vulnerabilities allow an attacker with network access to intercept, decrypt, and potentially manipulate encrypted communications. All versions of RSB, OCTOPUS, RS, MS, MACH100, RSR, MACH1000, and MACH4000 switches are affected. No vendor patch is available.

What this means

What could happen

An attacker with network access and knowledge of encryption weaknesses could intercept and decrypt communications to the switch, potentially allowing unauthorized access or manipulation of network traffic flowing through industrial network segments.

Who's at risk

Water utilities, electric utilities, and other critical infrastructure operators using Hirschmann Classic Platform Switches (RSB, OCTOPUS, RS, MS, MACH100, RSR, MACH1000, MACH4000) for industrial network switching and management. These devices are commonly deployed in Ethernet-based control networks that interconnect PLCs, RTUs, and operator workstations.

How it could be exploited

An attacker on the network segment could capture encrypted management or data traffic to Hirschmann Classic Platform Switches and exploit weak cryptographic implementations (CWE-326, CWE-319) to decrypt the communications. With knowledge of session mechanisms (CWE-384) and potentially weak authentication (CWE-307), they could then inject commands or alter switch configuration.

Prerequisites

Network access to the switch management port or data traffic path
Knowledge of the switch's cryptographic implementation
Time and computational resources to break or reverse the encryption scheme

Remotely exploitableNo patch availableWeak cryptographic implementationAll versions affected

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (8)

8 EOL

ProductAffected VersionsFix Status

Classic Platform Switches OCTOPUS: all versionsAll versionsNo fix (EOL)

Classic Platform Switches RS: all versionsAll versionsNo fix (EOL)

Classic Platform Switches MS: all versionsAll versionsNo fix (EOL)

Classic Platform Switches MACH100: all versionsAll versionsNo fix (EOL)

Classic Platform Switches MACH1000: all versionsAll versionsNo fix (EOL)

Classic Platform Switches MACH4000: all versionsAll versionsNo fix (EOL)

Classic Platform Switches RSB: all versionsAll versionsNo fix (EOL)

Classic Platform Switches RSR: all versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGPlace all Hirschmann Classic Platform Switches behind a firewall and restrict network access to only authorized management stations

HARDENINGIsolate switch management networks from business network and ensure switches are not reachable from the Internet

WORKAROUNDIf remote management access is required, deploy a VPN to encrypt the connection and restrict access by IP address

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGImplement network segmentation to restrict which devices can communicate with these switches

CVEs (5)

CVE-2018-5465 CVE-2018-5467 CVE-2018-5471 CVE-2018-5461 CVE-2018-5469

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e567ef3c-56be-4d37-80e4-ce63bd097545