Today the DHS ICS-CERT published a control system security
advisory for protective relays from GE. They also updated a previously issued
advisory for a product from Certec EDV GmbH.
GE Advisory
This advisory
describes a weak cryptography for passwords vulnerability in the GE Multilin SR
Protective Relays. The vulnerability was initially reported by Anastasis
Keliris, Charalambos Konstantinou, Marios Sazos, and Dr. Michail (Mihalis)
Maniatakos of New York University. GE has provided firmware updates for all but
one of the affected devices; firmware for the final device is expected to be
available in June. There is no indication that the researchers have been provided
an opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit this vulnerability to obtain weakly encrypted user
passwords, which could be used to gain unauthorized access to affected
products.
Certec EDV Update
This update
provides additional information on the advisory that was originally
published on April 6th, 2017. This update provides the following
new information:
• The vulnerabilities can be
mitigated in the affected versions by activating the “the vendor built-in
security mechanism”; and
• Provides an outline of the information needed to
activate the security mechanism.
Posts
No comments:
Post a Comment