Today the DHS ICS-CERT updated a control system advisory for Wind River VxWorks that was originally published in June. It also published a new advisory for Advantech’s EKI-122X series products.
Wind River Update
This update provides updated information on the systems affected by the vulnerability and the mitigation measures available for Wind River devices. There is no mention of any changes in mitigation measures for Schneider products and there are no new vendors added to the list using the vulnerable VxWorks embedded software.
Three versions of VxWorks Cert have been added to the list of affected products. The Schneider Electric Sage 2300 RTU and SAGE LANDAC2 Upgrade Kit have also been added. The Schneider advisory on this vulnerability is not currently available on-line.
Patches are now available for more of the affected products, but Wind River is recommending that owners upgrade to newer versions that are not affected by the vulnerability.
It seems a bit odd to me that ICS-CERT has not yet identified any other vendors that are using the vulnerable VxWorks firmware. I suppose that they may know of some, but are waiting for word that a patch is available.
It sure would be nice if there were some simple test that could be performed by an owner to see if their RTU’s were subject to the TCP predictability vulnerability. Of course, since a facility may have a large number of RTU’s, the test would have to be very quick for anyone to use it in practice.
This advisory describes a hard-coded SSH key vulnerability in the Advantech EKI-122X series products. The vulnerability was first reported by Neil Smith. Advantech has produced a new firmware version that mitigates the vulnerability, but there is no indication that Smith has been provided an opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively low-skilled attacker could remotely exploit this vulnerability to intercept communications to and from the device.