Westermo Industrial Switch Hard-coded Certificate Vulnerability (Update A)

CVEs (1)

Remediations

• Westermo has released a patch that allows changing default certificates to custom certificates. Directions for changing certificates can be found in the WeOS Management Guide Section 7.1.8 or by contacting Westermo Support at +46 16 428000.
• In the meanwhile, users should follow the procedure below to mitigate the vulnerability: 1. Devices with WeOS versions older than 4.15.2 should be upgraded to the latest release in order to get the capability to replace the default web certificate. 2. Upload a custom certificate, preferably from an established internal or external PKI. See Section 7.1.8 in the WeOS Management Guide. 3. Login to the CLI (console or SSH). 4. Issue the following commands (where <LABEL> is the label defined during Step 2 as described in the WeOS Management Guide): config, web, certificate <LABEL>, exit, exit, copy run start
• Self-signed certificates should be avoided, because they provide a similar attack vector because the keys encrypting traffic are not established until after the first access of the device.
• Web access can either be disabled completely or allowed only from the most secure network as it reduces the exposure of this vulnerability to that network. The attacker must gain access to the more secure network in order to stage an attack.

Affected Vendors

Affected Products (1)