By default, GarrettCom Magnum MNS-6K Management Software installs with a default, hardcoded password that may allow a normal user account to authenticate with admin privileges. This allows attackers to trivially access the program or system and gain privileged access.

Upgrade to version 4.1.15 or higher or 14.1.15 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds. ICS has also implied that versions 4.4.0 and 14.4.0 may address this vulnerability.

• CVE ID: 2012-3014 (see also: NVD)
• Secunia Advisory ID: 50418
• News Article: http://arstechnica.com/security/2012/09/secret-account-in-mission-critical-router-opens-power-plants-to-tampering/
• Vendor Specific Advisory URL: http://www.garrettcom.com/techsupport/6k_dl/6k14115a_rn.pdf
• Vendor Specific News/Changelog Entry: http://www.garrettcom.com/techsupport/6k_dl/6k440_rn.pdf
• Other Advisory URL: http://www.us-cert.gov/control_systems/pdf/ICSA-12-243-01.pdf

• Justin W. Clarke - Cylance Inc.