Yesterday the DHS ICS-CERT published an advisory concerning an ‘insufficient entropy’ vulnerability in some of the mGuard security appliances produced by Innominate. The vulnerability was reported by an independent research group in a coordinated disclosure. Interestingly, there is no mention of this advisory being previously published on the US-CERT Secure Portal.
The vulnerability in a number of security appliances would allow a skilled attacker to obtain the credentials of administrative users. This could allow them to set up a man-in-the-middle attack where they could remotely gain control of networks protected by these devices. The affected appliances were all manufactured before 2006 (ancient by IT standards, but moderately new by ICS standards).
This is a much more serious set of vulnerabilities than the buffer overflow vulnerability ICS-CERT reported earlier this week. Too many security folks get comfortable when their networks are protected by VPN systems or firewalls. Defects in the security wall make everything more vulnerable behind them.
Innominate had provided mitigation tools to fix the identified problems. Since security keys are involved in these systems, the mitigation required gets a tad bit more complicated than in the normal software upgrades. The Advisory describes three separate modes of mitigation depending on the configurations involved.
The folks at ICS-CERT publishing this Advisory got a little too comfortable themselves in the publication process. At the end of the Advisory they include the standard blurb about additional measures that should be taken to protect systems. Unfortunately, these all involve putting industrial control systems behind the types of security devices that are involved in this vulnerability disclosure. While they do say that these measures are designed to “protect against this and other [emphasis added] cybersecurity risks” this section probably should have been left off of this Advisory.