This morning the DHS ICS-CERT updated an advisory that was published last week and published a new control system advisory. The updated advisory was for an Environmental Systems Corporation (ESC) product. The new advisory was for a control system product from GE.
This advisory describes a hard-coded credential vulnerability in the GE MultiLink series managed switches. The vulnerability is apparently self-reported. GE has produced a firmware update to mitigate the vulnerability.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to gain unauthorized administrative access to device configurations resulting in exposure and control of all configuration options available through the web interface.
The links provided in the advisory for the firmware update all lead to earlier (v 5.3.0 or v 5.3.2) affected versions of the firmware. There is no mention on the GE web site of a version 5.5.0.
This update provides additional information on the 8832 Data Controller advisory that was originally published on May 26th. The update notes that a Metasploit module now exists to exploit the two vulnerabilities reported.
Interestingly searching for a Metasploit module for the ESC 8832 Data Controller I find two database listings (here and here) and a blog that reference a Metasploit module produced by Balazs Makany. Unfortunately, all three sites list five vulnerabilities not two:
• Session Hijacking
• Predictable user session generation
• Unencrypted protocol
• Lack of user names
• Session token in HTTP GET
The blog post describes the vulnerability disclosure process by TH3R3G3NT. ICS-CERT reports that Maxim Rupp was the security researcher responsible for the two vulnerabilities included in the ICS-CERT advisory. Additionally the description of the five vulnerabilities in the two database listings are quite different than the two vulnerabilities described in the ICS-CERT advisory. In short, it looks pretty much like there are some vulnerabilities that should be added to this advisory.
BTW: There have not yet been any TWEETs about either of these advisories. I just happened to notice the ‘-A’ designation on the ESC advisory when I looked at the ICS-CERT landing page this evening. I almost ignored it because of the ‘5-26-16’ date on the listing, but something called out to me. ICS-CERT really needs to do a better job of communicating these updates, particularly when they add notification that a publicly available exploit has been released. That just may change some risk calculations.