A month ago ICS-CERT published
an advisory for a hard-coded root credential vulnerability in the ORing DIN-Rail
Device Server that was reported in an uncoordinated disclosure by Reid
Wightman, then working with DigitalBond. Reid’s blog post about that
vulnerability reported that the same vulnerability existed in Korenix Jetport
5600. In fact, he noted that the backdoors were identical and “the firmwares
are eerily similar”. Today, ICS-CERT published
the advisory for the Jetport 5600.
Unlike the earlier advisory where ICS-CERT threw the vendor
under the bus for failure to correct the deficiency, ICS-CERT reports that
Korenix has developed an upgraded version of the firmware that removes the root
and guest accounts as well as the current version of OpenSSL. The advisory
doesn’t note, however, that anyone has confirmed that this corrects the
problem.
If Reid is right about the two devices sharing the same
firmware, then this update should also correct the problem in the ORing server.
I wonder if anyone has checked this out?
Where’s the Alerts?
Okay, I tried to avoid it, but I just have to ask. Why wasn’t
there an alert published back in June when Reid published his blog post about
the vulnerability (complete with exploit code) about both of these systems?
Wouldn’t the owners of these devices (most of which had probably never heard of
DigitalBond) want to know that they were vulnerable to having their system
completely taken over by anyone with an interest in messing with them?
Posts
No comments:
Post a Comment