This afternoon the DHS ICS-CERT published a control systemadvisory for the Exemys Telemetry Web Server. The login bypass vulnerability described in the advisory was reported by Maxim Rupp. ICS-CERT reports that Exemys “has not produced a patch to mitigate this vulnerability”.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to access information on the server.
The only unique mitigation measure for this vulnerability comes from ICS-CERT with no clear instructions on how to effect the proposed measure. The measure that ICS-CERT recommends is:
“ICS-CERT recommends implementing a single point login that cannot be bypassed.”
It is unusual for ICS-CERT not to be at least a little more forthcoming about why there is not now (and presumably won’t be in the near future) a vendor provided patch or upgrade. While Exemys is headquartered in Argentina, there is no mention of difficulties contacting the organization or that they disagree with the reported vulnerability. A dispassionate observer would probably be excused for assuming that Exemys is not concerned about the existence of this vulnerability.