Today the DHS ICS-CERT published a control system advisory for a weak pseudo random number generator (PNRG) in ProSoft Technology RadioLinx ControlScape products. The vulnerability was reported by Lucas Apa and Carlos Mario Penango Hollman, with IOActive in a coordinated disclosure.
ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability to generate system passwords. ProSoft has produced a patch (WARNING: this is a link to an .EXE file) that reportedly mitigates this but there is no indication that the efficacy has been verified by the IOActive researchers. ProSoft has provided a suggestion for making the current password generation system more secure without the upgrade;
“Changing the default ‘seed’ passphrase will greatly increase the entropy of passphrase generation process.”