Today the DHS ICS-CERT took the unusual step of publishing an advisory for multiple vulnerabilities that are not acknowledged by the vendor; OleumTech. As a result no patches or updates appear to be forth coming as a result of this coordinated disclosure. The disclosures were made by Lucas Apa and Carlos Mario Penagos Hollman of IOActiv.
ICS-CERT reports that the vulnerabilities include:
• Improper input validation vulnerability - CVE-2014-2360 – could lead to a DOS attack and arbitrary code execution;
• Key management errors - CVE-2014-2361 – local access could lead to intercepting site security key;
• Use of cryptographically weak pseudo-random number generator - CVE-2014-2362 – 4-byte key could be guessed relatively easily.
ICS-CERT notes that an additional vulnerability reported by IOActive, unencrypted data messages, may be considered a user configuration issue since encryption options are available at setup. ICS-CERT reports that OleumTech does not accept the encryption issues as problems since they intended the functions to address authentication issues not encryption. OleumTech does not address the issues on their web site so ICS-CERT feels justified in publishing this advisory to alert owners to the vulnerabilities.