Sunday, August 5, 2012

ICS-CERT Ignores VPN Vulnerability

A week ago last Saturday there was an interesting article posted on It deals with an encryption problem with a common protocol used in the authentication process for virtual private networks. The vulnerability was discussed at DEFCON by Moxie Marlinspike who released tools for cracking the passwords used in establishing VPN connections.

I held off on commenting on this issue because I figured that we would be seeing an ICS-CERT alert on the issue. I know that the software involved is not actually a control system, but VPN’s are commonly used to remotely access control systems so this should be an ICS-CERT concern. This is especially true since ICS-CERT routinely urges the use of VPNs when remote access is required for control systems.

Now the CNET article doesn’t provide a lot of details, but it doesn’t seem to me that the tool (ChapCrack) is overly user friendly and it does require the use of an outside decryption service, CloudCraker, at $200 a pop, so this isn’t something that is going to be used by a casual attacker. Having said that, it is a serious vulnerability in a common control system security tool and it should have been addressed by an ICS-CERT alert.

Fortunately, it is a Microsoft vulnerability, and CNET reports that they are working on a solution to the problems. In the mean-time, organizations that authorize the VPN access to control systems should review the requirements for that access and limit that access as appropriate. And remember, access to the enterprise network may provide access points to the control system that were not originally recognized.

1 comment:

Dale Peterson said...

Hi Patrick,

I don't think anyone would consider me an ICS-CERT apologist, but in this case they made the right choice.

By your logic, ICS-CERT would need to put up a bulletin for every Microsoft, Oracle, *nix, ... vuln and patch because they are widely used in control systems.

Owner/operators should be monitoring the vendor support site and US-CERT for these security bulletins.

I think the converse argument actually makes more sense. Everything should be on US-CERT with perhaps a keyword for ICS specific vulns. I see no difference in the quality of the alerts now as compared to the days prior to ICS-CERT.

Dale Peterson
Digital Bond, Inc.

/* Use this with templates/template-twocol.html */