ICS-CERT Ignores VPN Vulnerability

A week ago last Saturday there was an interesting article posted on CNET.com. It deals with an encryption problem with a common protocol used in the authentication process for virtual private networks. The vulnerability was discussed at DEFCON by Moxie Marlinspike who released tools for cracking the passwords used in establishing VPN connections.

I held off on commenting on this issue because I figured that we would be seeing an ICS-CERT alert on the issue. I know that the software involved is not actually a control system, but VPN’s are commonly used to remotely access control systems so this should be an ICS-CERT concern. This is especially true since ICS-CERT routinely urges the use of VPNs when remote access is required for control systems.

Now the CNET article doesn’t provide a lot of details, but it doesn’t seem to me that the tool (ChapCrack) is overly user friendly and it does require the use of an outside decryption service, CloudCraker, at $200 a pop, so this isn’t something that is going to be used by a casual attacker. Having said that, it is a serious vulnerability in a common control system security tool and it should have been addressed by an ICS-CERT alert.

Fortunately, it is a Microsoft vulnerability, and CNET reports that they are working on a solution to the problems. In the mean-time, organizations that authorize the VPN access to control systems should review the requirements for that access and limit that access as appropriate. And remember, access to the enterprise network may provide access points to the control system that were not originally recognized.