Hard-coded RSA keys found in firmware
GE is the latest industrial kit vendor to send users patching to protect against hard-coded credentials in Ethernet switches. IOActive disclosed the vulnerability to ICS-CERT, which issued this advisory (details here CVE-2014-5418 and here CVE-2014-5419). The vulnerability occurs in various GE Multilink managed Ethernet switches: the ML800, 1200, 1600 and 2400 versions 4.2.1 and older; and the ML810, 3000 and 3100 versions older than version 5.2.0. In these switches, the RSA key used to encrypt ...