This afternoon the DHS ICS-CERT published an advisory for Westermo switches. They also announced registration and request for papers for the Spring 2016 ISJWG meeting.
This advisory describes a hard-coded certificate vulnerability in Westermo Ethernet switches. The vulnerability was reported by Neil Smith. ICS-CERT reports that Westermo has produced a firmware update that mitigates the vulnerability. Smith have verified the efficacy of the fix.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability after conducting a successful man-in-the-middle attack to obtain authenticated access to the device.
Later in the advisory ICS-CERT reports that: “Westermo is working on an update to automate the changing of the key, which will be published on its web site as soon as it is ready.” The advisory then provides a work around for changing the hard-coded SSL certificate. There is nothing about this vulnerability on the public portion of the Westermo web site. The latest version of the WeOS on that website is 4.18.0 (released this month) which according to the advisory is an affected version. So, apparently the fix that Smith validated is the workaround.
ICSJWG Spring Meeting
I reported in an earlier blog post that the date for the Spring 2016 ICSJWG meeting had been set for May 3rd thru 5th. Today ICS-CERT announced that the registration for that meeting was now open. You can register on-line here and there is still no cost to attend the meeting. Registrations should be completed by April 28th, 2016.
ICS-CERT also published a call for abstracts for that meeting. They are looking for four types of presentations:
• Lightning round