Number: AV16-090
Date: 3 June 2016
Purpose
The purpose of this advisory is to bring attention to Multilink Series firmware security updates released by General Electric.
Assessment
General Electric released firmware security updates for GE MultiLink Series switches to address a hard-coded credentials vulnerability. An attacker could remotely exploit this vulnerability by using the hard-coded factory password to gain full access to affected devices.
Affected versions:
GE ML800 Switch, firmware versions prior to Version 5.5.0,
GE ML810 Switch, firmware versions prior to Version 5.5.0k,
GE ML1200 Switch, firmware versions prior to Version 5.5.0,
GE ML1600 Switch, firmware versions prior to Version 5.5.0,
GE ML2400 Switch, firmware versions prior to Version 5.5.0,
GE ML3000 Switch, firmware versions prior to Version 5.5.0k, and
GE ML3100 Switch, firmware versions prior to Version 5.5.0k.
CVE Reference: CVE-2016-2310
Suggested Action
CCIRC recommends that system administrators test and deploy the vendor-released updates to affected applications accordingly.
References:
ICS-CERT Advisory (ICSA-16-147-02)
https://ics-cert.us-cert.gov/advisories/ICSA-16-154-01
ML800 switch firmware update:
https://www.gegridsolutions.com/app/Resources.aspx?prod=ml800&type=7
ML810 switch firmware update:
https://www.gegridsolutions.com/app/Resources.aspx?prod=ml810&type=7
ML1200 switch firmware update:
https://www.gegridsolutions.com/app/Resources.aspx?prod=ml1200&type=7
ML1600 switch firmware update:
https://www.gegridsolutions.com/app/Resources.aspx?prod=ml1600&type=7
ML2400 switch firmware update:
https://www.gegridsolutions.com/app/Resources.aspx?prod=ml2400&type=7
ML3000 and ML3100 firmware update:
https://www.gegridsolutions.com/app/Resources.aspx?prod=ml3000&type=7