This afternoon the DHS ICS-CERT published an advisory for multiple vulnerabilities in equipment from Moxa, thus updating an Alert from August. It also published the latest version of the ICS-CERT Monitor for the January-February time frame.
This advisory describes two vulnerabilities in the Moxa ioLogik E2200 Ethernet Micro RTU controllers. Like Tuesday’s Rockwell advisory these vulnerabilities were reported by Aditya Sood via last summer’s DefCon. Moxa has issued a firmware update and an associated update for their Active OPC Server software that mitigates the vulnerability. There is no indication that Sood has been given the opportunity to verify the efficacy of the fix.
The three reported vulnerabilities are:
• Insufficiently protected credential - CVE-2016-2282; and
• Inadequate encryption strength - CVE-2016-2283
ICS-CERT reports that a relatively low skilled attacker could use existing public exploits to remotely exploit these vulnerabilities to gain access to settings and data on the devices.
It is interesting to note that Moxa reports in their release notes that the new version of the OPC Server software will continue to support Windows 2003 and Windows XP systems. Both of these are long out of support at Microsoft and their continued use potentially puts operations at risk for any number of vulnerabilities.
The 2016 January-February Monitor was published this afternoon and I was impressed with the increased level of interesting and usable information. I am definitely recommending that people download and read this issue; not something that I have done in a while.
I expected the opening incident investigation report to touch on the Ukraine power outage and I was wrong. Instead they described a visit to a combined water and electric power utility and actually discussed some control system issues. Nice note that they found a wireless router in one network that operators incorrectly thought was disconnected and an unknown cellular modem (vendor installed) in the other.
There were two things reported in this article that deserved a little more attention; a brief report that ‘low-level malware' was spotted on one network, and the initial comment that the utility was planning on merging their two operations networks. A little discussion could have turned both of these observations into important teaching points.
There was a good overview article on incident response and a description of the changes that went into the newly released CSET v7.1. There was also a favorable write up on the ICS-CERT attendance at Digital Bonds S4x16 conference. The ICSJWG Spring Conference in May also got a plug.
They also provided links to eight updated ICS-CERT fact sheets. I would like to suggest that ICS-CERT date these fact sheets so they can be readily differentiated from the predecessors and any follow-on updates. Those fact sheets were:
• Training; and
All in all, I think this was a very well done issue; certainly much more informative that the last couple of issues have been. PLEASE keep up this caliber of reporting.