Today the DHS ICS-CERT published two control system security advisories for products from Locus Energy and Tesla Motors.
Locus Energy Advisory
This advisory describes a command injection vulnerability in the Locus Energy LGate application. The vulnerability was reported by Daniel Reich. Locus Energy has produced a firmware update to mitigate the vulnerability. The update will be remotely installed by Locus Energy upon request. There is no indication that Reich has been provided an opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to take control of LGate that has its web server port publicly exposed.
This advisory was originally posted to the US-CERT secure Portal library on September 29, 2016.
Tesla Motors Advisory
This advisory describes a gateway ECU advisory for the Tesla Motors (Tesla) Model S automobile. The vulnerability was reported by Tencent’s Keen Security Lab. Tesla has produced an over-the-air firmware update to mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix. ICS-CERT reports that the updated has been available since September 18th.