This morning the DHS ICS-CERT published three control system security advisories for products from Black Box, Sixnet and Environmental Systems Corporation.
Black Box Advisory
This advisory describes a credential management vulnerability in the Black Box AlertWerks ServSensor devices. The vulnerability was reported by Lee Ryman. Black Box has produced a new firmware version to mitigate the vulnerability and Ryman has verified the efficacy of the fix.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to gain access system passwords.
This advisory describes a hard-coded credential vulnerability in the Sixnet BT series routers. The vulnerability was reported by Neil Smith. Sixnet has produced a new firmware version and updates to mitigate the vulnerability. There is no indication that Smith has been provided the opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively unskilled attacker could use publicly available exploits to remotely exploit the vulnerability to gain full access to the affected device.
The Sixnet web site does not yet (as of 22:00 EDT, 5-26-16) have the new version of the BT firmware listed.
Environmental Systems Corporation Advisory
This advisory describes twin vulnerabilities in the ESC 8832 Data Controller. The vulnerabilities were independently reported by Maxim Rupp and Balazs Makany. ESC reports that there is no code space for a firmware update so it has designed compensating controls to mitigate the vulnerabilities. There is no indication that either Rupp or Makany have been provided an opportunity to verify the efficacy of the fix.
The two vulnerabilities are:
• Authentication bypass - CVE-2016-4501; and
• Privilege management - CVE-2016-4502
ICS-CERT reports that a relatively unskilled attacker could use publicly available information to remotely exploit the vulnerability to perform administrative operations over the network without authentication.
ESC recommends replacing the device or blocking Port 80 with a firewall.