Korenix refuses to remove built-in backdoor in its JetPort series used across industrial communication sector
Cybersecurity firm SEC Consult has revealed that Korenix Technology has refused to remove the hardcoded backdoor account on the company’s JetPort line, citing that ‘it is needed for customer support and it can’t be cracked in a reasonable amount of time.’
The JetPort device series has been found to contain a built-in backdoor account. “If the corresponding credentials are known to an attacker, he/she can directly access the operating system of the device via the local network (or via NAT). Therefore, an attacker can gain full access,” SEC Consult wrote in its advisory on Tuesday.
Austria-based SEC Consult recommends not to use the JetPort devices in production environments and to perform a thorough security review conducted by security professionals to identify and resolve potential further critical security issues. At present, there is no available quick fix.
Part of the Beijer group company, Korenix is a global manufacturer that provides market-oriented, value-focused industrial wired and wireless networking solutions to the industrial communication sector. The products are mainly applied across SMART industries, including surveillance, machine-to-machine, automation, remote monitoring, and transportation. Its global customer base covers different sales channels, including end-users, OEMs, system integrators, and brand label partners.
Tracked as CVE-2020-12501, multiple different backdoor accounts were found during quick security checks of different firmware files, SEC Consult said in 2020. One backdoor account was tested on a later bought device to verify this specific finding, it added.
The account is being made public now, following an extensive disclosure process between SEC Consult and Korenix, which concluded with the vendor saying that the account will not be removed. Following this, SEC Consult has published a public release of the advisory.
While the backdoor account is available on at least one JetPort device of Korenix, SEC Consult said that there might be more affected devices across this vendor. “Westermo and Comtrol devices may be affected too,” it added on Tuesday.
Furthermore, “two other users are present on the system. An additional telnet-daemon is listening on port 19999,” it added.
This is not the first time that vulnerabilities have been identified on Korenix equipment. In 2017, some of its JetNet hardware, deployed across commercial facilities, critical manufacturing, and transportation systems, was found to contain hard-coded cryptographic key and hard-coded credentials vulnerabilities. Successful exploitation of these vulnerabilities could allow a remote attacker to gain remote access to the device to run arbitrary code and perform man-in-the-middle attacks.
Earlier, in 2021, undocumented hard-coded root credentials were identified in the firmware of the Korenix JetPort 5600 system. Successful exploitation of the vulnerability would allow attackers to exploit the product by using the hard-coded credential to log into the device with administrative privileges and gain access to the attached serial devices.
Last month, Claroty’s Team82 arm detected two vulnerabilities in the PLC Program Tool from Chinese automation company XINJE, typically deployed across energy, manufacturing, and engineering installations.
Related
