Westermo is working on a permanent fix for a vulnerability reported in CVE-2015-7547. Until then, we recommend user of WeOS versions 4.12.0 through 4.18.0 to consider reconfiguration of DNS and static hostname lookup as follows:
- Configure DNS servers to be 127.0.0.1
- Add static hostname lookup entries for all hostnames configured in the device
- Refer to the WeOS appropriate Management Guide for more information. For WeOS version 4.18.0, the relevant sections are:
o 19.3.3 DNS client – setting DNS server and dynamic DNS
o 19.7.8 Add static hostname lookup entry
An attacker that successfully masquerade as an upstream DNS server may serve the WeOS device with malicious DNS query response that can allow the attacker full unauthorized access to the device.
“The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack.”
Download Westermo Security Advisory WEOS-16-03.
WeOS products running WeOS versions 4.2.0 and newer share a common self-signed certificate and private key from factory. An attacker can extract the private key from our WeOS firmware and masquerade as a WeOS device. If successful, the attacker may be able to obtain credentials from an end-user that enter their credentials in the belief it is a valid WeOS device they are accessing. To be successful, the attacker must be able to access and inject themselves in the the network path between the end-user and the legitimate WeOS device.
Westermo provides self-signed certificates from factory to minimize the risk of compromise in the time between shipping and commissioning, but we strongly recommend our WeOS users to replace the default certificate and private key with ones they trust, typically coming from their own corporate certificate authority. The ability to replace the web interface certificate and private key exists as a tech preview (undocumented and with limited user interface support) since WeOS version 4.15.2.
WeOS users that utilize the web interface for management of the device should ensure that:
- they've upgraded to the latest version of WeOS, which is 4.18.0
at the time of writing, and
- they've replaced the default password with a strong unique one
in compliance with corporate security policy, and
- Insecure management services like ipconfig, telnet and http are
disabled for all interfaces, and
- https, ssh and snmp services are only exposed to the most
secure interfaces (typically those facing higher security zones), and
- the default web interface certificate is replaced following the procedure
described in the security advisory linked below