Mandar Jadhav (security researcher from Qualys) has found that Westermo’s MRD-305-DIN, MRD-315, MRD-355 and MRD-455 modern routers, that are used for remote access worldwide in the commercial facilities, critical manufacturing and energy sectors, are opened to attacks by three vulnerabilities.
Westermo provides a complete range of industrial data communications (SCADA) solutions for demanding applications in the transport, water and energy markets among others. MRD devices provide resilient remote access and eliminate the need for costly site visits. With support for secure VPN communications, static and dynamic IP routing, NAT, port forwarding, OpenVPN (SSL VPN), and a stateful packet inspection firewall, the Westermo wireless mobile broadband routers provide secure, reliable communications.
The researcher noticed that the firmware exists on these devices included hardcoded SSH and HTTPS certificates and their associated private keys. This data enables an attacker to decrypt traffic through man-in-the-middle (MitM), which may include administrator credentials that can be used to access the device with high privileges.
He also found that the firmware contains an undocumented “user” account, which could allow for unauthorized local low privileged access to the device. After cracking that hash, you will get a password “user“.
Jadhav also discovered that the firmware fails to implement any anti-csrf token on different pages. Which may lead to unauthorized manipulation of the device if an authenticated user is accessing an infected web site concurrently to the device web management interface.