Thursday, December 3, 2015

ICS-CERT Published Two Advisories

This afternoon the DHS ICS-CERT published to control system advisories for products from Honeywell and SearchBlox.


Honeywell Advisory

This advisory describes two vulnerabilities in the Honeywell Midas gas detector. The vulnerabilities were reported by Maxim Rupp. Honeywell has produced new firmware versions to mitigate the vulnerabilities, but there is no indication that Rupp was provided the opportunity to verify the efficacy of the fix.

The two vulnerabilities are:

• Path traversal - CVE-2015-7907; and
• Clear text transmission of sensitive information - CVE-2015-7908.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to make unauthorized configuration changes to the device.

This advisory was originally released to the US CERT Secure Portal on November 5, 2015. Again, if you were authorized access to the Secure Portal (see the bottom of the ICS-CERT landing page for instructions on how to request access) you could have already applied the new firmware to your detectors.

Note: The link in the ICS-CERT advisory for the Honeywell Security Notice is incorrect. It should be: http://www.honeywellanalytics.com/en/support/product-notifications/midas-security-notification-firmware-update-available

SearchBlox Advisory

This advisory describes an information exposure vulnerability in the SearchBlox web-based proprietary search engine application. The vulnerability was reported by Oana Murarasu of Ixia. SearchBlox has developed a new version that mitigates the vulnerability, but there is no indication that Murarasu has been provided the opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to export of the config file without admin login, overwrite the config file without admin login, and add or delete (nonadmin) users.

Missing Alert?


I was really expecting to see ICS-CERT publish an alert today on the Advantech EKI vulnerabilities that were reported on Tuesday by Rapid7, especially since there is already a Metasploit module available for the vulnerabilities. The reason might be that these are actually ‘old’ vulnerabilities (Heartbleed, Shellshock and a previously reported buffer overflow) that apparently made their way back into the firmware update for the latest ICS-CERT reported advisory (ISCA-15-309-01).

1 comment:

Prince Riley said...

Cyber Terrorism or Cyber Attack: How Can Critical Infrastructure Operators Tell the Difference ?

How can BES generation or distribution system owners tell when their SCADA/ICS systems are the victims of a cyber attack or cyber terrorism? Congress and the Regional Entities, along with NERC and FERC, have as yet not agreed to provide an answer to this question despite the need for such an answer as a guide to both policy and compliance guidance.

Congress is expressing concern the nation's electrical grid remains vulnerable to cyber attacks and progress to reduce it is too slow as reports of increasingly sophisticated attacks are being launched by a spectrum of "actors". FERC recently announced it will conduct its' own audits of the electrical industry's compliance with NERC's security standards (CIP V5) in 2016: a move many believe signals FERC, by bypassing NERC's audits, shares Congress' concerns (and frustration) the industry has not reported more progress since the standard's release over two years ago.

While a distinction between "cyber terrorism" and "cyber attack" may at first appear a matter of semantics, some observers define “Cyberterrorism” as an attack having the same impact as a
bomb, or other chemical, biological, radiological, or nuclear explosive (CBRN) weapon where loss of life, property damage and injuries occur. Others disagree and believe the effects of a widespread attack against critical infrastructure have unpredictable consequences and enough potential for economic disruption, fear, and civilian deaths, to qualify as terrorism.

The distinction has serval policy dimensions and implications. Specifically should a FEMA-like government agency be chartered to assist critical infrastructure sectors with recovery after a ‘cyber terror’ attack occurs? Such an agency, if chartered' would give the electrical industry a safety net and provide an upper limit on their assessment of risks and where to focus their efforts

 
/* Use this with templates/template-twocol.html */