GE MultiLink Series Switch Security Updates

Number: AV16-090
Date: 3 June 2016

Purpose

The purpose of this advisory is to bring attention to Multilink Series firmware security updates released by General Electric.

Assessment

General Electric released firmware security updates for GE MultiLink Series switches to address a hard-coded credentials vulnerability.  An attacker could remotely exploit this vulnerability by using the hard-coded factory password to gain full access to affected devices.

Affected versions:

GE ML800 Switch, firmware versions prior to Version 5.5.0,
GE ML810 Switch, firmware versions prior to Version 5.5.0k,
GE ML1200 Switch, firmware versions prior to Version 5.5.0,
GE ML1600 Switch, firmware versions prior to Version 5.5.0,
GE ML2400 Switch, firmware versions prior to Version 5.5.0,
GE ML3000 Switch, firmware versions prior to Version 5.5.0k, and
GE ML3100 Switch, firmware versions prior to Version 5.5.0k.

CVE Reference: CVE-2016-2310

Suggested Action

CCIRC recommends that system administrators test and deploy the vendor-released updates to affected applications accordingly.

References:

ICS-CERT Advisory (ICSA-16-147-02)
https://ics-cert.us-cert.gov/advisories/ICSA-16-154-01

ML800 switch firmware update:
https://www.gegridsolutions.com/app/Resources.aspx?prod=ml800&type=7

ML810 switch firmware update:
https://www.gegridsolutions.com/app/Resources.aspx?prod=ml810&type=7

ML1200 switch firmware update:
https://www.gegridsolutions.com/app/Resources.aspx?prod=ml1200&type=7

ML1600 switch firmware update:
https://www.gegridsolutions.com/app/Resources.aspx?prod=ml1600&type=7

ML2400 switch firmware update:
https://www.gegridsolutions.com/app/Resources.aspx?prod=ml2400&type=7

ML3000 and ML3100 firmware update:
https://www.gegridsolutions.com/app/Resources.aspx?prod=ml3000&type=7

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: