This afternoon the DHS ICS-CERT published two control system security advisories for products from KMC Controls and Trihedral Engineering. The KMC Controls advisory was originally published on the US CERT Secure Portal on May 5th, 2016.
KMC Controls Advisory
This advisory describes twin vulnerabilities in the KMC Controls Conquest BACnet routers. The vulnerabilities were reported by Maxim Rupp. KMC has produced a new firmware version to mitigate the vulnerabilities. There is no indication that Rupp has been provided an opportunity to verify the efficacy of the fix.
The two vulnerabilities are:
• Cross-site request forgery - CVE-2016-4494; and
• Missing authentication for critical information - CVE-2016-4495.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerabilities to read the configuration of the target device.
Trihedral Engineering Advisory
This advisory describes multiple vulnerabilities in the Trihedral Engineering VTScada. The vulnerabilities were reported by an anonymous researcher through the Zero Day Initiative (ZDI).
The vulnerabilities include:
• Out-of-bounds read - CVE-2016-45232F;
• Path traversal - CVE-2016-45325F; and
• Authentication bypass issues - CVE-2016-45108F.
NOTE: The CVE numbers listed above were copied directly from the advisory, but are not in the proper format. It is too early to verify the numbers in the CVE database. I suspect that the real numbers end after the first four digits following the final dash.
ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to download or view arbitrary files, or to cause the server to crash and not come back without being manually relaunched.
The advisory reports that the upgrade notes on the Trihedral web site provide additional help on installing the updates. Unfortunately, the firmware version that mitigates these vulnerabilities is not listed on that page. That may be because the next latest firmware version was published yesterday and the security updated version was published today.