Today the DHS ICS-CERT published three control system security advisories for products from Hyundai Motor, Sierra Wireless and BLF-Tech.
Hyundai Motor Advisory
This advisory describes two vulnerabilities in the Hyundai Motor Blue Link. The vulnerabilities were reported by Will Hatzer and Arjun Kumar working with Rapid7. Hyundai produced a new version that mitigates the vulnerability. There is no indication that the researchers have been provided the opportunity to verify the efficacy of the fix.
The two reported vulnerabilities are:
• Man-in-the-Middle – CVE-2017-6052; and
• Use of Hard-Coded Cryptographic Key – CVE-2017-6054
ICS-CERT reports that an attacker (no characterization of the skill level is provided) could remotely exploit this vulnerability to gain access to insecurely transmitted sensitive information, which could allow the attacker to locate, unlock, and start a vehicle associated with the affected application.
NOTE: A Rapid7 blog post provides more details about the vulnerability.
Sierra Wireless Advisory
NOTE: This advisory provides additional information on vulnerabilities that were initially reported by ICS-CERT in an Alert last June.
This advisory describes three vulnerabilities in the Sierra Wireless AirLink Raven XE and XT. The vulnerabilities were reported by Karn Ganeshen. Sierra Wireless has produced new firmware that mitigates two of the three reported vulnerabilities. There is no indication that Ganeshen was provided an opportunity to verify the efficacy of the fix.
The three reported vulnerabilities were:
• Improper Authorization – CVE-2017-6044;
• Cross-Site Request Forgery – CVE-2017-6042; and
• Insufficiently Protected Credentials (Not mitigated) – CVE-2017-6046
Neither this advisory nor the Sierra Wireless Technical Bulletin [.DOC download] from last summer address the fourth vulnerability reported by Ganeshen in his disclosure; unauthenticated access to directories and arbitrary file upload.
ICS-CERT reports that a relatively unskilled attacker could use the publicly available exploits for these vulnerabilities to remotely attack these devices to perform unauthorized sensitive functions compromising the confidentiality, integrity, and availability of the affected system.
This advisory describes an uncontrolled search path element vulnerability in the BLF-Tech VisualView HMI. The vulnerability was reported by Karn Ganeshen. BLF-Tech has produced a new version to mitigate the vulnerability. There is no indication that Ganeshen was provided an opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively unskilled attacker (access requirements not characterized) could exploit the vulnerability to to execute arbitrary code within the system.