CVE-2016-9335 – This vulnerability involves hard-coded cryptogr... (How to Fix)

Q: What is the severity of CVE-2016-9335?

CVE-2016-9335 has a CVSS score of 10.0 (CRITICAL). This vulnerability involves hard-coded cryptographic keys in Red Lion industrial switches that cannot be changed by users, allowing attackers to decrypt secure communications, impersonate devices, or disrupt operations. Affected systems include Sixnet-Managed Industrial Switches and Stride-Managed Ethernet Switches running specific vulnerable firmware versions.

📋 TL;DR

This vulnerability involves hard-coded cryptographic keys in Red Lion industrial switches that cannot be changed by users, allowing attackers to decrypt secure communications, impersonate devices, or disrupt operations. Affected systems include Sixnet-Managed Industrial Switches and Stride-Managed Ethernet Switches running specific vulnerable firmware versions.

💻 Affected Systems

Products:

Red Lion Controls Sixnet-Managed Industrial Switches
Red Lion Controls Stride-Managed Ethernet Switches

Versions: Sixnet: Version 5.0.196, Stride: Version 5.0.190

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All devices using these firmware versions are vulnerable regardless of configuration due to hard-coded keys in the firmware itself.

📦 What is this software?

Sixnet Managed Industrial Switches Firmware by Redlion

View all CVEs affecting Sixnet Managed Industrial Switches Firmware →

Stride Managed Ethernet Switches Firmware by Redlion

View all CVEs affecting Stride Managed Ethernet Switches Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of industrial control systems allowing attackers to intercept/manipulate all communications, disrupt critical infrastructure operations, or gain persistent access to industrial networks.

🟠

Likely Case

Attackers decrypting sensitive industrial communications, performing man-in-the-middle attacks, or gaining unauthorized access to network segments containing vulnerable switches.

🟢

If Mitigated

Limited impact through network segmentation and monitoring, though communications remain vulnerable to decryption if attackers obtain the hard-coded keys.

🌐 Internet-Facing: HIGH - CVSS 10.0 indicates network-accessible, no authentication required, and complete compromise possible if exposed to internet.

🏢 Internal Only: HIGH - Even internally, attackers with network access can exploit this without authentication to compromise communications and systems.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires obtaining the hard-coded keys but once obtained, attacks require minimal technical skill. The CVSS vector indicates no authentication required and low attack complexity.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: SLX firmware Version 5.3.174

Vendor Advisory: https://ics-cert.us-cert.gov/advisories/ICSA-17-054-02

Restart Required: Yes

Instructions:

1. Download SLX firmware Version 5.3.174 from Red Lion Controls. 2. Backup current configuration. 3. Upload new firmware via web interface or console. 4. Reboot switch. 5. Verify firmware version after reboot.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate vulnerable switches in separate VLANs with strict firewall rules to limit attack surface

Disable Remote Management

all

Disable HTTP/HTTPS/SSH management interfaces if not required for operations

🧯 If You Can't Patch

Implement strict network access controls allowing only trusted IP addresses to communicate with switches
Monitor network traffic for unusual SSL/SSH handshakes or decryption attempts

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface (System > About) or console command 'show version'. If version matches affected versions, device is vulnerable.

Check Version:

show version (console) or check System > About in web interface

Verify Fix Applied:

After patching, verify firmware version shows 5.3.174 or higher in System > About page.

📡 Detection & Monitoring

Log Indicators:

Multiple failed SSL/SSH connection attempts
Unexpected certificate validation errors
Unusual management interface access patterns

Network Indicators:

SSL/TLS handshakes using unexpected certificates
SSH connections with unusual key exchanges
Traffic decryption attempts on switch management ports

SIEM Query:

source="industrial_switch" AND (event_type="auth_failure" OR certificate_validation="failed")

📊 Metadata

CVE ID: CVE-2016-9335

CVSS v3 Score: 10.0 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-321

Published: May 9, 2018

Last Updated: November 21, 2024

🔗 References

https://ics-cert.us-cert.gov/advisories/ICSA-17-054-02 Third Party Advisory,US Government Resource
https://ics-cert.us-cert.gov/advisories/ICSA-17-054-02 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2016-9335, you might also want to check these: