Yesterday the DHS ICS-CERT updated two control system security notices; one an alert for the BrickerBot vulnerability and the other affecting products from Belden Hirschmann.
This update provides new information on the alert that was originally published on April 12th, 2017. The update more specifically acknowledges the Radware contribution to the state of current knowledge about BrickerBot. It also provides:
• A slightly more detailed and updated description of the operation of both BrickerBot.1 and BrickerBot.2; and
• A new mitigation measure; updating Ubiquiti device firmware.
Belden Hirschmann Update
This update provides new information on the advisory that was originally published on January 26th, 2017. The update expands the scope of the advisory; adding three new vulnerabilities that were apparently fixed with the originally reported new software version. The newly reported vulnerabilities are:
• Server-side request forgery - CVE-2017-6036;
• Cross-site request forgery - CVE-2017-6038; and
• Information exposure - CVE-2017-6040
Belden did not change their original Security Bulletin. Instead, they issued an additional Security Bulletin to describe the ‘new’ request forgery vulnerabilities. Belden actually describes the cross-site request forgery as a subset of the server-side request forgery, rather than specifically listing it as a separate vulnerability. Belden never does specifically acknowledge the ‘information exposure’ vulnerability reported by ICS-CERT.
Interestingly, the only change that ICS-CERT makes to their ‘impact’ statement designed to reflect the additional vulnerabilities is to change the words ‘of this vulnerability’ to ‘of these vulnerabilities’. It does not acknowledge the Belden report that the ‘new’ vulnerabilities may allow an attacker to “trick administrators into changing the configuration of the device”.