Today the DHS ICS-CERT published two control system advisories; one for an encryption vulnerability in the Schneider Electric Trio J-Series Radios and one for an input validation vulnerability in the Software Toolbox TOP Server DNP Master OPC product.
This advisory concerns a self-reported hard-coded encryption key vulnerability (NOTE: The Schneider web site reports that this vulnerability was reported by an unnamed security researcher). Some versions of the firmware in the Trio J-Series License Free Ethernet Radio does not properly generate an AES encryption key. Schneider reports that simply upgrading to a newer version of the firmware does not necessarily correct the problem.
ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to take control of the communications network and the control system attached to it. Schneider reports that they have updated firmware, that properly applied, will mitigate the problem. There is no indication that the original researcher has validated the update.
NOTE: Schneider identified this problem and solution in May and posted it on their web site on August 8th. That delay was almost certainly due to attempting to notify customers of the problem. The delay in the ICS-CERT reporting of this issue is not explained.
TOP Server Vulnerability
This advisory concerns an improper input validation vulnerability on the TOP Server DNP Master OPD product identified by Adam Crain and Chris Sistrunk. Oh, hell, just read my Kepware blog post of last week; this advisory is for the same vulnerability in the same system, it’s just marketed under a different label. Adam pointed this out to ICS-CERT but they would not add it to the earlier advisory. Adam and Chris get credit for another coordinated disclosure because they pushed ICS-CERT to publish this advisory so that the TOP Server owners would understand that this vulnerability applied to them.
This is an ongoing problem with hardware, software and firmware sold under different names or included in other systems. As more of these types of vulnerabilities are reported blackhats will begin to realize that systems are vulnerable because owners don’t realize that available patches and upgrades apply to their equipment. ICS-CERT needs to step up and be proactive in these types of situations and not have to be pressured into acting by concerned researchers.
BTW: The Project Robus web site takes credit for this advisory and reports that there are now 17 disclosures pending.