GE MultiLink Series Switch security updates

Number: AV16-090
Date: 3 June 2016

Purpose

The purpose of this advisory is to bring attention to Multilink Series firmware security updates released by General Electric.

Assessment

General Electric released firmware security updates for GE MultiLink Series switches to address a hard-coded credentials vulnerability VulnerabilityA flaw or weakness in the design or implementation of an information system or its environment that could be exploited to adversely affect an organization's assets or operations. .  An attacker could remotely exploit this vulnerability by using the hard-coded factory password to gain full access to affected devices.

Affected versions:

GE ML800 Switch, firmware versions prior to Version 5.5.0,
GE ML810 Switch, firmware versions prior to Version 5.5.0k,
GE ML1200 Switch, firmware versions prior to Version 5.5.0,
GE ML1600 Switch, firmware versions prior to Version 5.5.0,
GE ML2400 Switch, firmware versions prior to Version 5.5.0,
GE ML3000 Switch, firmware versions prior to Version 5.5.0k, and
GE ML3100 Switch, firmware versions prior to Version 5.5.0k.

CVE Reference: CVE-2016-2310

Suggested Action

CCIRC recommends that system administrators test and deploy the vendor-released updates to affected applications accordingly.

References:

ICS-CERT Advisory (ICSA-16-147-02)
https://ics-cert.us-cert.gov/advisories/ICSA-16-154-01

ML800 switch firmware update:
https://www.gegridsolutions.com/app/Resources.aspx?prod=ml800&type=7

ML810 switch firmware update:
https://www.gegridsolutions.com/app/Resources.aspx?prod=ml810&type=7

ML1200 switch firmware update:
https://www.gegridsolutions.com/app/Resources.aspx?prod=ml1200&type=7

ML1600 switch firmware update:
https://www.gegridsolutions.com/app/Resources.aspx?prod=ml1600&type=7

ML2400 switch firmware update:
https://www.gegridsolutions.com/app/Resources.aspx?prod=ml2400&type=7

ML3000 and ML3100 firmware update:
https://www.gegridsolutions.com/app/Resources.aspx?prod=ml3000&type=7