There are hard-coded credentials in the operating system of the ORing Industrial DIN-Rail Device Server 5042/5042+ systems that can grant attackers administrative access to the device, according to a report on ICS-CERT.
The vulnerability released without coordination with ICS-CERT and the vendor. ICS-CERT has been unable to coordinate this vulnerability with ORing Industrial Networking because of the vendor’s unresponsiveness. ICS-CERT is unaware of any fix by ORing Industrial Networking that mitigates this vulnerability. Researcher Reid Wightman of Digital Bond identified the remotely exploitable vulnerability.
There are public exploits targeting this vulnerability.
The ORing Industrial Networking products suffering from the issue are:
• Industrial DIN-Rail Device Server IDS-5042, all versions, and
• Industrial DIN-Rail Device Server IDS-5042+, all versions.
In addition, there may be other ORing Industrial Networking products affected by this vulnerability.
Attackers can exploit the product by using the default hard-coded credential to log into the device with administrative privileges. Once gaining access, the attacker can read and write to files and change settings. This access level can impact the availability, integrity and confidentiality of the product.
Taiwan-based ORing Industrial Networking maintains offices in several countries around the world, including the U.S., Korea, and China.
The affected products are industrial serial device servers used for SCADA systems. The products deploy over several sectors including manufacturing, oil and gas, transportation, electric utilities, and others, according to ORing.
An attacker can log into the operating system of the device using an SSH connection with the root credentials to gain administrative access. Once the attacker gains access to the device, the file system and settings are accessible, which could result in a loss of availability, integrity and confidentiality. CVE-2012-4577 is the number assigned to this vulnerability, which has a CVSS v2 base score of 10.
The ORing software update Web site does not indicate that a new version of firmware or security patch is available.