Back on Wednesday (holiday delay) the DHS ICS-CERT published two advisories affecting products from Alstom Grid and Monroe Electronics. The Alstom Grid products are used to configure protective relays sold by that company. The Monroe Electronics products are used to broadcast Emergency Alert System (EAS) messages.
This advisory concerns a self-reported improper authorization vulnerability in their MicCOM S1 Agile Software and older MiCOM S1 Studio Software (Versions of MiCom S1 Studio software from other vendors are not addressed in this advisory). This vulnerability is not remotely exploitable and requires local access action by an authorized user. The vulnerability does allow for privilege escalation.
ICS-CERT reports that Alstom Grid has released an updated version of the software that mitigates the problem. Since the vulnerability is self-reported so is the efficacy of the mitigation.
This advisory reflects an SSH Key vulnerability reported by Mike Davis, a researcher with IOActive, in a coordinated disclosure. It affects the DASDEC-I and DASDEC-II products. It allows a moderately skilled attack to gain remote ‘root access’ to the system, allowing complete control of the system.
ICS-CERT reports that Monroe Electronics has produced a software update that mitigates this vulnerability. It does not report whether or not Mike Davis or IOActive have verified the efficacy of the update.
Both of these products are specialized control system applications that are used in relatively limited systems. Both, of course, have the capability to affect operations well outside of their control domain. There are probably thousands of these limited use control systems in use. I would bet that because the organizations producing them do not have large software development shops that there concerns with security programing are relatively limited.
I suppose that it is a sign of the increased interest in ICS security that vulnerabilities in limited application systems like these are starting to be addressed by security researchers. It is especially heartening in this instance to see a Alstom Grid self-reporting their vulnerability. That they detected it in-house is a good sign in and of itself. That they reported it to ICS-CERT is always a good thing.