This afternoon the DHS ICS-CERT published to control system advisories for products from Honeywell and SearchBlox.
This advisory describes two vulnerabilities in the Honeywell Midas gas detector. The vulnerabilities were reported by Maxim Rupp. Honeywell has produced new firmware versions to mitigate the vulnerabilities, but there is no indication that Rupp was provided the opportunity to verify the efficacy of the fix.
The two vulnerabilities are:
• Path traversal - CVE-2015-7907; and
• Clear text transmission of sensitive information - CVE-2015-7908.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to make unauthorized configuration changes to the device.
This advisory was originally released to the US CERT Secure Portal on November 5, 2015. Again, if you were authorized access to the Secure Portal (see the bottom of the ICS-CERT landing page for instructions on how to request access) you could have already applied the new firmware to your detectors.
Note: The link in the ICS-CERT advisory for the Honeywell Security Notice is incorrect. It should be: http://www.honeywellanalytics.com/en/support/product-notifications/midas-security-notification-firmware-update-available
This advisory describes an information exposure vulnerability in the SearchBlox web-based proprietary search engine application. The vulnerability was reported by Oana Murarasu of Ixia. SearchBlox has developed a new version that mitigates the vulnerability, but there is no indication that Murarasu has been provided the opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to export of the config file without admin login, overwrite the config file without admin login, and add or delete (nonadmin) users.
I was really expecting to see ICS-CERT publish an alert today on the Advantech EKI vulnerabilities that were reported on Tuesday by Rapid7, especially since there is already a Metasploit module available for the vulnerabilities. The reason might be that these are actually ‘old’ vulnerabilities (Heartbleed, Shellshock and a previously reported buffer overflow) that apparently made their way back into the firmware update for the latest ICS-CERT reported advisory (ISCA-15-309-01).