CVE-2017-14021 – This CVE involves hard-coded cryptographic keys... (How to Fix)

Q: What is the severity of CVE-2017-14021?

CVE-2017-14021 has a CVSS score of 9.8 (CRITICAL). This CVE involves hard-coded cryptographic keys in multiple Korenix JetNet industrial switches, allowing attackers to extract certificates and private keys. This enables man-in-the-middle attacks where attackers can intercept, decrypt, and modify network traffic. Affected organizations include industrial facilities, utilities, and any environment using these specific switch models.

📋 TL;DR

This CVE involves hard-coded cryptographic keys in multiple Korenix JetNet industrial switches, allowing attackers to extract certificates and private keys. This enables man-in-the-middle attacks where attackers can intercept, decrypt, and modify network traffic. Affected organizations include industrial facilities, utilities, and any environment using these specific switch models.

💻 Affected Systems

Products:

Korenix JetNet5018G
Korenix JetNet5310G
Korenix JetNet5428G-2G-2FX
Korenix JetNet5628G-R
Korenix JetNet5628G
Korenix JetNet5728G-24P
Korenix JetNet5828G
Korenix JetNet6710G-HVDC
Korenix JetNet6710G

Versions: JetNet5018G v1.4, JetNet5310G v1.4a, JetNet5428G-2G-2FX v1.4, JetNet5628G-R v1.4, JetNet5628G v1.4, JetNet5728G-24P v1.4, JetNet5828G v1.1d, JetNet6710G-HVDC v1.1e, JetNet6710G v1.1

Operating Systems: Embedded switch firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All devices with these firmware versions are vulnerable regardless of configuration. The hard-coded keys are embedded in the firmware.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete network compromise where attackers intercept all encrypted traffic, inject malicious commands, disrupt industrial operations, and potentially cause physical damage or safety incidents.

🟠

Likely Case

Network traffic interception allowing credential theft, data exfiltration, and unauthorized access to industrial control systems.

🟢

If Mitigated

Limited impact if switches are isolated in protected networks with strict access controls and network segmentation.

🌐 Internet-Facing: HIGH - If switches are exposed to the internet, attackers can easily intercept traffic and compromise the entire network.

🏢 Internal Only: MEDIUM - Attackers with internal access can still perform man-in-the-middle attacks, but requires initial network foothold.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires network access to the switch but no authentication. Attackers can extract keys from firmware or intercept traffic using known certificates.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Contact Korenix for updated firmware versions

Vendor Advisory: https://ics-cert.us-cert.gov/advisories/ICSA-17-299-01

Restart Required: Yes

Instructions:

1. Contact Korenix technical support for updated firmware. 2. Download the firmware update for your specific model. 3. Backup current configuration. 4. Upload and install new firmware via web interface or console. 5. Reboot the switch. 6. Verify firmware version and regenerate certificates.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected switches in separate VLANs with strict firewall rules to limit attack surface.

Traffic Monitoring

all

Implement network monitoring and IDS/IPS to detect man-in-the-middle attempts and certificate anomalies.

🧯 If You Can't Patch

Replace affected switches with non-vulnerable models
Implement strict network access controls and monitor all traffic to/from affected switches

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface (System > Firmware) or console command 'show version'. Compare against affected versions list.

Check Version:

show version (console) or check System > Firmware in web interface

Verify Fix Applied:

Verify firmware version is updated beyond affected versions and check that new certificates are generated (not the hard-coded ones).

📡 Detection & Monitoring

Log Indicators:

Certificate validation failures
Unexpected certificate changes
Multiple SSL/TLS handshake failures

Network Indicators:

SSL/TLS traffic interception attempts
Certificate mismatches in network traffic
Unexpected certificate authorities

SIEM Query:

ssl.certificate.issuer:"Korenix" OR ssl.certificate.serial_number IN [hard-coded serials from advisory]

📊 Metadata

CVE ID: CVE-2017-14021

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-321

Published: November 1, 2017

Last Updated: April 20, 2025

🔗 References

http://www.securityfocus.com/bid/101598 Third Party Advisory,VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-17-299-01 Third Party Advisory,US Government Resource
http://www.securityfocus.com/bid/101598 Third Party Advisory,VDB Entry
https://ics-cert.us-cert.gov/advisories/ICSA-17-299-01 Third Party Advisory,US Government Resource

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-14021, you might also want to check these: