ICS-CERT Publishes 2 Advisories

Today the DHS ICS-CERT published two control system security advisories for products from Korenix and Rockwell.

Rockwell Advisory

This advisory describes a reusing a nonce, key pair in encryption vulnerability in the Rockwell Stratix 5100 Wireless Access Point. This is the ‘KRACK’ (Key Reinstallation Attack) vulnerability that has been in the news lately (see here for example). The advisory reports that the vulnerability was discovered by Mathy Vanhoef; this attribution is for the KRACK vulnerability generally, not necessarily the specific instance of the vulnerability in this device. Rockwell will produce a new firmware version that mitigates the vulnerability in this device.

ICS-CERT reports that an uncharacterized attacker presumably with access to a wi-fi signal could exploit the vulnerability with a publicly available exploit to operate as a “man-in-the-middle” between the device and the wireless network.

NOTE: The advisory only claims CVE-2017-13082. This is just one of the 10 CVE’s associated with the KRACK vulnerability. It is not clear if this is just an oversight or if this is the only part of the vulnerability found in this particular implementation of the WPA2 standard. I suspect that it is the former.

Korenix Advisory

This advisory describes two vulnerabilities in the Korenix JetNet ethernet switch. The vulnerabilities were reported by Mandar Jadhav of the Qualys Vulnerability Signature/Research Team. Korenix has produced new firmware that mitigates the two vulnerabilities. There is no indication that Jadhav was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability  to gain remote access to the device to run arbitrary code and perform man-in-the-middle attacks.

Commentary

It is odd that ICS-CERT published the Rockwell Advisory without publishing a general alert about the KRACK vulnerability. Any control system devices that provide for wi-fi access while using the WPA2 security protocol are most likely affected by KRACK.

Fixing just one side of the communications link could still possibly leave the network vulnerable to this vulnerability, particularly since this is potentially 10 separate vulnerabilities. This is addressed in the advisory; noting that:

“Rockwell Automation recommends that all users patch the clients that connect to the Stratix 5100 WAP/WGB, and recommends contacting your supplier to get the most updated patch that is compatible with your client devices. However, patching the client only protects the connection formed by that specific client.”

ICS-CERT certainly needs to address this vulnerability since it potentially affects a wide-swath of the wi-fi capable control system devices; a quickly-growing number of devices if vendor ads are any indication.