According to a security researcher from security startup Cylance, industrial Ethernet switches and other devices produced by industrial networking equipment manufacturer RuggedCom contain a vulnerability that could be exploited to compromise SSL-based communications between them and their users.
The U.S. Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) said in a security alert that they are aware of a public report of hard-coded SSL private key within RuggedCom's Rugged Operatin System (ROS). ICS-CERT also said that Cylance Inc.'s security researcher Justin W. Clarke publicly presented the vulnerability with proof-of-concept (PoC) exploit code.
"This vulnerability does not directly allow for an authentication bypass," said Clarke. "What it allows is for an attacker to decrypt any SSL communication between an end-user's web browser and the RuggedCom device."
Learn more about this by reading the article "ICS-CERT Warns of SSL Security Flaw in RuggedCom Industrial Networking Devices" by PCWorld.com.