Another RuggedCom ICS-CERT Alert

Yesterday ICS-CERT published another alert for the RuggedCom Rugged Operating System that was based upon a vulnerability that was publicly disclosed by Justin W. Clarke of Cylance Inc. The public report (once again there is no link to the report and the Cylance web site is very discrete) identifies a hard-coded RSA SSL private key vulnerability in the RuggedCom ROS. This is the second serious vulnerability that Clarke has identified in this system.

NOTE: Just got an email from Justin and he provides this information about why I can find no link to this public disclosure: "The reason there’s no link to the report is that the Friday disclosure was actually a live presentation at BSidesLA 2012 on Friday (http://www.securitybsides.com/w/page/36552449/BSidesLosAngeles). The relevant slides were written by me and presented by Stuart McClure, Founder/CEO of my employer. Former Global CTO of McAfee, and Founder/CEO of FoundStone (acquired by McAfee sometime after 2000)." So maybe ICS-CERT should have mentioned the BSidesLA 2012. Updated 8-22-12 0615 EDT.

The earlier vulnerability report concerned an undocumented backdoor account in the system. Clarke had attempted to coordinate the disclosure on the earlier vulnerability but was rebuffed. It would be interesting to hear from Clarke if he attempted a coordinated disclosure this time or if he just decided to go directly to a public disclosure because of his past experience with RuggedCom.

It will be interesting to see how quickly RuggedCom responds to this disclosure.