Today the DHS ICS-CERT published two new advisories; one for 360 Systems’ Image Server and one for the DeltaV MD and SD controllers from Emerson. There are some unique things about both of these vulnerabilities.
360 Systems Image Server
This advisory was originally published on the US-CERT Secure Portal and is now being publicly released. Neil Smith and Ryan Green reported the hard-coded password in a coordinated disclosure. According to ICS-CERT the affected products are video servers in use in over 3,000 local and network broadcast stations. This is certainly a new twist on the conventional idea of control systems.
The vulnerability is really a combination of a default root user with a hardcoded password. Actually the advisory uses both ‘default password’ and ‘hardcoded password’. As we saw in yesterday’s advisory, there is a distinct difference between the two. It would be helpful if ICS-CERT consistently described the vulnerability.
In any case a relatively low skilled attacker could remotely exploit this vulnerability to modify or upload video and schedule it to play immediately or at a future time.
According to the advisory:
“360 Systems has not produced a patch, new version, or firmware upgrade that removes the hardcoded password or root user account. The vendor recommends that these devices be placed on closed, nonpublic-facing networks. The vendor further recommends the use of properly configured firewalls to restrict access to only necessary ports and the use of Virtual Private Networks if access is required. For more information on proper setup of this device, users may contact 360 Systems’ customer service department.”
Considering how often we hear about holes in supposedly secure networks, this seems to be a weak response, in my opinion. I mean, how hard would it be to crack a TV station computer network and upload a zombie apocalypse emergency broadcast warning. OOPS. Hasn’t that already been done? Was it using this vulnerability? Has anyone heard?
This advisory addresses an uncontrolled resource consumption vulnerability in the MD and SD DeltaV controllers from Emerson. The vulnerability was reported by Joel Langill in a coordinated disclosure. The advisory was posted earlier on the US-CERT Secure Portal.
The advisory reports that a relatively low skilled attacker could use readily available network mapping tools to locally exploit this vulnerability to initiate a denial of service attack. It also reports that public “exploits may exist that could target this vulnerability”.
Emerson has created a hotfix for this vulnerability. Emerson notes that the hot fix or the installation of the DeltaV Firewall will adequately mitigate the vulnerability, but Emerson recommends that both be used.
Two editorial problems (at least I hope they are just editorial problems) with this advisory. First the advisory states that:
“Customer notification KBA_NK-1300-0007 will be sent to customers who own a DeltaV control system.”
The whole point of publishing the advisory on the US-CERT Secure Portal is to provide owners to fix their systems before the vulnerability is publicly noted. In this case, however, the “will be sent” wording indicates that the customer notification still has not been done. Hopefully this is just poor editing and not poor customer service.
The second questionable comment also applies to mitigation measures. The advisory states:
“According to Emerson and confirmed by Joel Langill, the DeltaV Controller Firewall mitigates this vulnerability; however, Emerson recommends that all users install the hotfix.”
Again the wording seems to indicate that the firewall was evaluated for efficacy by Joel, but not the hotfix. Again, most of us would have assumed that the firewall could have denied access to the vulnerable ports. I would be more interested in independent verification that the hotfix helped to mitigate the vulnerability.