Yesterday the DHS ICS-CERT published three control system advisories for systems from Johnson Controls, Honeywell and Xzeres.
Johnson Controls Advisory
This advisory describes two vulnerabilities is the Johnson Controls Metasys building management system. The vulnerabilities were reported by Billy Rios. Johnson Controls has produced patches for the affected systems but there is no indication that Rios has been provided the opportunity to verify the efficacy of the fixes.
The two vulnerabilities are:
· Storing passwords in a recoverable format – CVE-2014-5427
· Unrestricted upload of files with a dangerous type – CVE-2014-5428
ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to compromise the Metasys system.
This advisory describes a directory traversal vulnerability in the Honeywell XL Web Controller. The vulnerability was reported by Martin Jartelius of Outpost24. Honeywell has produced an update that mitigates the vulnerability but there is no indication that Jartelius has had an opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to gain access to the web root directory.
ICS-CERT reports that the same web controllers have been sold under the name 'Falcon' by Centraline. The advisory provides links to the Centraline updates, but Honeywell customers will have to contact the Honeywell HBS branch for assistance in getting the updates.
This advisory describes a cross-site request forgery vulnerability in the XZERES’s 442SR turbine generator operating system. The vulnerability was reported by Maxim Rupp. Xzeres has produced a patch that mitigates the vulnerability but there is no indication that Rupp has been provided an opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to obtain the username password from the system. ICS-CERT reports that while no exploits are currently specifically available for the vulnerability in this system, there are publicly available exploits for similar vulnerabilities that could easily be changed to work on this system.