This afternoon the DHS ICS-CERT published two control system advisories for systems from Eaton’s Cooper and Moxa.
Eaton’s Cooper Advisory
This advisory describes an IEEE conformance issue involving improper frame padding in Eaton’s Cooper Power Systems Form 6 controls and Idea/IdeaPLUS relays equipped with Ethernet. The vulnerability was reported by David Formby and Raheem Beyah of Georgia Tech. An updated version of the systems (associated with another recent ICS-CERT Advisory) has been confirmed by the researchers to be free of the vulnerability.
ICS-CERT reports that a relatively unskilled attacker with network access to unencrypted packets would be able to read the leaked data.
This advisory was published on the US CERT Secure Portal on October 22nd, 2015. Again, the early notification is available to all critical infrastructure owners and legitimate researchers granted access by ICS-CERT. See bottom of the ICS-CERT landing page for information on how to apply for this access.
This is the second advisory for this sort of issue. Both were based upon reports by Formby and Beyah. How many more systems will they find with this vulnerability? Who knows, perhaps vendors should start looking themselves? Or not. Maybe Formby and Beyah can build a startup business on their technique for finding this vulnerability and then expand it into other areas of vulnerability research. I seem to recall another team that started out in a similar manner.
BTW: Eaton’s Cooper calls this a TCP/IP protocol stack vulnerability. It sounds a little bit more impressive, but perhaps not quite as descriptive.
This advisory describes two vulnerabilities in the Moxa OnCell Central Manager Software. The vulnerabilities were reported through the Zero Day Initiative by Andrea Micalizzi. Moxa has produced a new version but there is no indication that Micalizzi has been provided an opportunity to verify the efficacy of the fix.
The two vulnerabilities are:
• Use of hard-coded credentials - CVE-2015-6481; and
• Authentication by-pass issues - CVE-2015-6480.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to gain full system access.
BTW: The Moxa release notes on the new version do list the authentication by-pass issue, but does not mention the hard-coded credentials