CVE-2016-9335 in Controls Sixnet-Managed Industrial Switch
Summary
by MITRE
A hard-coded cryptographic key vulnerability was identified in Red Lion Controls Sixnet-Managed Industrial Switches running firmware Version 5.0.196 and Stride-Managed Ethernet Switches running firmware Version 5.0.190. Vulnerable versions of Stride-Managed Ethernet switches and Sixnet-Managed Industrial switches use hard-coded HTTP SSL/SSH keys for secure communication. Because these keys cannot be regenerated by users, all products use the same key. The attacker could disrupt communication or compromise the system. CVSS v3 base score: 10, CVSS vector string: (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H). Red Lion Controls recommends updating to SLX firmware Version 5.3.174.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 02/03/2020
The vulnerability described in CVE-2016-9335 represents a critical cryptographic weakness in industrial networking equipment manufactured by Red Lion Controls, specifically affecting their Sixnet-Managed Industrial Switches and Stride-Managed Ethernet Switches. This flaw stems from the implementation of hard-coded cryptographic keys within the firmware of these industrial devices, creating a fundamental security weakness that directly violates industry best practices for cryptographic key management. The vulnerability exists in firmware versions 5.0.196 for Sixnet switches and 5.0.190 for Stride switches, where the manufacturers embedded identical cryptographic keys that cannot be modified or regenerated by system administrators. This design choice creates a single point of failure that compromises the entire security architecture of these industrial devices.
The technical implementation of this vulnerability falls under CWE-320, which specifically addresses "Cryptographic Keys in Configuration Files" and "Use of Hard-coded Cryptographic Keys" in industrial control systems. The flaw allows attackers to exploit the identical cryptographic keys across all affected devices, enabling them to perform man-in-the-middle attacks, decrypt communications, and potentially gain unauthorized access to the industrial network infrastructure. The CVSS v3 score of 10.0 indicates the highest severity level, reflecting the critical nature of this vulnerability where the attack vector is network-based, requires no user interaction, and can result in complete compromise of confidentiality, integrity, and availability. The attack complexity is rated as low since the keys are publicly known and can be easily extracted from the firmware images, making this vulnerability particularly dangerous for industrial environments where network security is paramount.
The operational impact of this vulnerability extends beyond simple network disruption to encompass potential system compromise and industrial control system breaches that could affect critical infrastructure operations. Attackers exploiting this vulnerability could establish persistent access to industrial networks, monitor sensitive communications, and potentially manipulate industrial processes through unauthorized access to switch management interfaces. The consequences are particularly severe in industrial settings where these switches control critical network communications between control systems and field devices, as the compromise of these devices could lead to operational disruptions, safety hazards, or even physical damage to industrial processes. The fact that this vulnerability affects both Sixnet and Stride managed switches indicates a systemic flaw in the product line's security architecture, potentially leaving entire industrial installations vulnerable to coordinated attacks.
Red Lion Controls addressed this vulnerability by releasing firmware update version 5.3.174, which eliminates the hard-coded cryptographic keys and implements proper key management procedures for secure communications. The recommended mitigation strategy involves immediate firmware updates across all affected industrial switch installations, though organizations must carefully plan these updates to avoid operational disruptions in critical industrial environments. Security professionals should implement additional network monitoring measures to detect potential exploitation attempts, as the vulnerability may not be immediately apparent through standard network scanning. The incident highlights the importance of proper cryptographic key management in industrial control systems and demonstrates how embedded security flaws in industrial networking equipment can create widespread vulnerabilities across multiple devices in the same product line, underscoring the need for comprehensive security assessments of industrial control system components.