ICS-CERT Closes-out Two Alerts

Today the folks at DHS ICS-CERT published two advisories for different systems that were based upon uncoordinated disclosures reported earlier by ICS-CERT. Actually ICS-CERT only notes that one is based upon an earlier alert, but records show that both were. The affected systems are from RuggecCom and Carlo Gavazzi Automation.

RuggedCom Advisory

This advisory is based upon Key Management Errors originally reported by Justin W. Clarke of Cylance Inc and the ICS-CERT Alert was published in August and updated later that month. According to this Advisory a moderately skilled attacker could use the publicly available exploit “to establish a secure communication link with RuggedCom network devices and manipulate settings that would result in a denial of service condition”. Why that would only allow a ‘DOS condition’ is not made clear.

RuggedCom has developed a number of device specific mitigations for this vulnerability, ranging from an update for ROS devices, to a recommendation to update SSL and SSH keys for ROX devices. The situation for RUGGEDMAX devices appears to be more complicated because there is one solution for SSH service and a temporary solution for HTTPS access; the last doesn’t sound encouraging.

Carlo Gavazzi Automation Advisory

This advisory seems to me to be clearly based upon an alert issued in October for the Sinapsi eSolar Light Photovoltaic System Monitor. That alert clearly notes that the Gavazzi EOS box is one of the names under which the Sinapsi product was sold. This advisory does not mention the earlier alert and it only addresses two of the vulnerabilities (hard-coded credentials and SQL injection) addressed in that earlier alert. If the earlier alert does not in fact apply to the EOS box, ICS-CERT should revise the earlier alert to reflect that fact.

The advisory notes that a relatively unskilled attacker could use the publicly available exploit code (another reason to believe the alert should have been referenced) to remotely gain administrative access and control of the system (credential vuln) or gain access to information about the system (SQL vuln). Carlo Gazazzi has developed an updated firmware version to mitigate these vulnerabilities and has released the new firmware ‘directly to the devices’. Interestingly that is just what Sinapsi did almost a month earlier to their devices affected by the same vulnerabilities. As I have mentioned in the past, I thing that the ability of the manufacturer to release the firmware updates directly to the devices is a vulnerability in and of itself, even if it is not misused.

Two questions remain unanswered; what happened to the other two vulnerabilities mentioned in the original alert (and the Sinapsi advisory) and when will we see the advisories for the other manufacturers listed in the original alert?