This morning the DHS ICS-CERT published two control system advisories from products from ABB and Moxa.
This advisory describes multiple credential vulnerabilities in the ABB PCM600. The vulnerability by Ilya Karpov from Positive Technologies. ABB has produced a new version to mitigate the vulnerabilities. There is no indication that Karpov has been provided an opportunity to verify the efficacy of the fix.
The vulnerabilities include:
• Use of password hash with insufficient computational effort - CVE-2016-4511; and
• Insufficiently protected credential - CVE-2016-4516, CVE-2016-4524, and CVE-2016-4527
ICS-CERT reports that a relatively unskilled attacker with local access to the computer running PCM6000 to edit the main application or gain access to PCM600 or connected devices.
ABB publishes a Cyber Security Deployment Guideline for the PCM600.
This advisory describes a firmware overwrite vulnerability in the Moxa UC 7408-LX-Plus. The advisory reports that ICS-CERT was notified by ‘a third-party’ that identified the vulnerability. A thinking reader might guess that the ‘third-party’ was someone associated with the investigation of the Ukraine power outage (see pg 4, a third-of-the-way down the page). Moxa has produced instructions for a workaround, but no firmware update (ironically) is expected because the device has been discontinued.
ICS-CERT reports that a relatively unskilled attacker…. Nope they actually said that: “Crafting a working exploit for this vulnerability would be difficult. Root level access is necessary for this exploit. This decreases the likelihood of a successful exploit.” The fact that an actual exploit has been very publicly executed will be used to cast aspersions on all future uses of this phrase by ICS-CERT.
Interesting side note in the advisory. It seems like a successful exploit of this vulnerability essentially bricks the device beyond recovery.