Monday, November 9, 2015

More Info on Advantech Advisory

I got an interesting email this weekend from a reader (I don’t yet have permission to use reader’s name, so we’ll just leave it at reader for the moment), Neil Smith (the researcher who is credited with reporting the vulnerability) about the recent ICS-CERT Advisory on the Advantech EKI-122X series products that I discussed last week. The reader Neil had some comments on the mitigation measures outlined in the Advisory.

The Advisory explained the mitigation measures this way:

“Advantech released new firmware in October 2015 to mitigate this vulnerability. For the EKI122* BE (v1.65) and EKI-136* (v1.27) product lines, HTTPS and SSH is disabled. For the EKI132* (v1.98) product line, additional configurations were added to allow customization for the HTTPS and SSH keys.”

The reader Neil notes that “HTTPS and SSH is disabled” means that the Advantech is “reverting back to plaintext device configuration by default, and leaving it up to the end user to configure SSL/SSH with their own keys”.

Since there is no publicly available documentation for these firmware updates, I have no way of knowing if Advantech has made this clear to the users.

It seems to me that this is actually a step backwards (if Advantech has not made this clear) in that, without additional owner/integrator actions, it will be even easier to make unauthorized changes to these Modbus gateways than it was before the update was installed. At least with the original firmware, you had to know the hardcoded password.

In closing his email the reader Smith wanted me to remind readers that “if a user updates to the latest firmware, they need to double check these services are turned back on and make sure their own certs/keys are being used”. [Updated with 'reader' name - 11-9-15, 21:05 CST]

No comments:

/* Use this with templates/template-twocol.html */