Today the DHS ICS-CERT published new advisories for products from Cogent and Triangle MicroWorks (TMW). Both advisories are based upon coordinated disclosures.
This advisory addresses multiple vulnerabilities in the Cogent DataHub. The vulnerabilities were reported by Alain Homewood. Cogent has produced a new version of the application that addresses three of the four identified vulnerabilities and ICS-CERT reports that Homewood has verified the efficacy of the mitigation measures for those vulnerabilities.
The vulnerabilities are:
• Reflected cross-site scripting, CVE-2014-72038;
• Directory traversal, CVE-2014-59156;
• Password hash with insufficient computational effort, CVE-2014-32537; and
• Many known vulnerabilities in OpenSSL version 1.0.0D.
ICS-CERT reports that a low to moderately skilled attacker could exploit these vulnerabilities (three of them remotely) with a variety of potential effects. The new version does not address the third vulnerability listed above; Cogent advises that they do not plan to address this vulnerability due to “compatibility issues with existing systems”. They explain (and Homewood agrees according to the advisory) that an adequately strong password will be an effective mitigation of this vulnerability.
Triangle MicroWorks Advisory
This advisory addresses Crain-Sistrunk DNP3 vulnerabilities in TMW SCADA Data Gateway. It addresses the two standard vulnerabilities in serial and IP communications. In fact the wording of this advisory is nearly identical with an ICS-CERT advisory published last fall that covered both the devices included in this advisory as well as TMW’s DNP3 Source Code libraries.
Interestingly this advisory points us at a TMW document that documents the changes that are referenced in this advisory. Unfortunately, that document only reports the changes that were made last fall in response to the earlier advisory. Something odd is going on here and what it is isn’t clear from the ICS-CERT advisory.
BTW: The Project Robus web page does not yet list this second TMW advisory. Looking at their tally it would seem that we still have seven more Crain-Sistrunk advisories to be published by ICS-CERT.