Tuesday, November 17, 2015

ICS-CERT Published Exemys Advisory

This afternoon the DHS ICS-CERT published a control systemadvisory for the Exemys Telemetry Web Server. The login bypass vulnerability described in the advisory was reported by Maxim Rupp. ICS-CERT reports that Exemys “has not produced a patch to mitigate this vulnerability”.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to access information on the server.

The only unique mitigation measure for this vulnerability comes from ICS-CERT with no clear instructions on how to effect the proposed measure. The measure that ICS-CERT recommends is:

“ICS-CERT recommends implementing a single point login that cannot be bypassed.”

It is unusual for ICS-CERT not to be at least a little more forthcoming about why there is not now (and presumably won’t be in the near future) a vendor provided patch or upgrade. While Exemys is headquartered in Argentina, there is no mention of difficulties contacting the organization or that they disagree with the reported vulnerability. A dispassionate observer would probably be excused for assuming that Exemys is not concerned about the existence of this vulnerability.

No comments:

/* Use this with templates/template-twocol.html */