The afternoon the DHS ICS-CERT updated the Advantech advisory that they published last week. Additionally a new advisory was published for vulnerabilities in an Adcon telemetry gateway.
This update corrects the name of the researcher who reported the vulnerability in an uncoordinated disclosure. The researcher is now being reported as HD Moore. The confusion apparently arose because Tod Beardsley authored the blog post that publicly disclosed the vulnerability, but even that post credited HD Moore with the discovery.
This advisory describes multiple vulnerabilities in the Adcon Telemetry A840 Telemetry Gateway Base Station. The vulnerabilities were reported by Aditya K. Sood. Adcon has contacted all known customers to offer an upgrade to a more secure and stable version. There is no indication that Sood has verified that the newer version is free of the indicated vulnerabilities.
The vulnerabilities are:
• Hard-coded credentials - CVE-2015-7930;
• Improper authentication - CVE-2015-7931;
• Clear text transmission of sensitive information - CVE-2015-7932; and
• Information exposure - CVE-2015-7934
ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to gain administrative access to the target.