Siemens-owned industrial switch maker RuggedCom has discovered similar key management flaws in more devices as it works to deliver a fix for the recently discovered RuggedOS (ROS) eavesdropping vulnerability.
The newly discovered flaws affect RuggedCom devices that run its ROX I and II operating system firmware and the RuggedMax operating system, which run its base station units and WiMax subscriber access systems.
In a security alert last Friday, RuggedCom said ROX devices “may have the same private keys for encrypted HTTPs/SSL and SSH communications”.
Affected products include the RX1000 router, RX1100 security appliance, RX5000 router and switch, and its RX1500. RuggedMax affected devices include the Win700 and Win7200 base station units and the Win5100 and Win5200 WiMax subscriber devices.
The flaw is similar to the ROS flaw uncovered in the past fortnight by Cylance Inc security researcher Justin Clarke.
Clarke found a hardcoded SSL private key that could be discovered. An attacker with the private key could spoof the RuggedOS device to spy on communications between a user and the ROS device.
Similarly, the private keys shipped from the factory with ROX devices and RuggedMax can be discovered, but unlike the ROS flaw, customers do not have to wait for a fix.
“This vulnerability can be mitigated by simply changing the private keys on the ROX device,” the alert advises.
RuggedCom also said the flaw does not impact traffic passing through ROX or RuggedMax devices.
The company “strongly encouraged” administrators to change SSL and SSH keys for both devices and recommended disabling HTTPS access.