Yesterday the DHS ICS-CERT published an advisory concerning
an ‘insufficient entropy’ vulnerability in some of the mGuard security
appliances produced by Innominate. The vulnerability was reported by an independent
research group in a coordinated disclosure. Interestingly, there is no mention
of this advisory being previously published on the US-CERT Secure Portal.
The vulnerability in a number of security appliances would
allow a skilled attacker to obtain the credentials of administrative users.
This could allow them to set up a man-in-the-middle attack where they could remotely
gain control of networks protected by these devices. The affected appliances
were all manufactured before 2006 (ancient by IT standards, but moderately new
by ICS standards).
This is a much more serious set of vulnerabilities than the
buffer overflow vulnerability ICS-CERT reported earlier this week. Too many
security folks get comfortable when their networks are protected by VPN systems
or firewalls. Defects in the security wall make everything more vulnerable
behind them.
Innominate had provided mitigation tools to fix the
identified problems. Since security keys are involved in these systems, the
mitigation required gets a tad bit more complicated than in the normal software
upgrades. The Advisory describes three separate modes of mitigation depending
on the configurations involved.
The folks at ICS-CERT publishing this Advisory got a little
too comfortable themselves in the publication process. At the end of the
Advisory they include the standard blurb about additional measures that should
be taken to protect systems. Unfortunately, these all involve putting
industrial control systems behind the types of security devices that are
involved in this vulnerability disclosure. While they do say that these measures are
designed to “protect against this and other
[emphasis added] cybersecurity risks” this section probably should have been
left off of this Advisory.
Posts
No comments:
Post a Comment