Back on Wednesday (holiday delay) the DHS ICS-CERT published
two advisories affecting products from Alstom Grid and Monroe Electronics. The
Alstom Grid products are used to configure protective relays sold by that company.
The Monroe Electronics products are used to broadcast Emergency Alert System
(EAS) messages.
Alstom Grid
This advisory
concerns a self-reported improper authorization vulnerability in their MicCOM
S1 Agile Software and older MiCOM S1 Studio Software (Versions of MiCom S1
Studio software from other vendors are not addressed in this advisory). This
vulnerability is not remotely exploitable and requires local access action by
an authorized user. The vulnerability does allow for privilege escalation.
ICS-CERT reports that Alstom Grid has released an updated version
of the software that mitigates the problem. Since the vulnerability is
self-reported so is the efficacy of the mitigation.
Monroe Electronics
This advisory
reflects an SSH Key vulnerability reported by Mike Davis, a researcher with
IOActive, in a coordinated disclosure. It affects the DASDEC-I and DASDEC-II
products. It allows a moderately skilled attack to gain remote ‘root access’ to
the system, allowing complete control of the system.
ICS-CERT reports that Monroe Electronics has produced a
software update that mitigates this vulnerability. It does not report whether
or not Mike Davis or IOActive have verified the efficacy of the update.
Expanding ICS
Both of these products are specialized control system
applications that are used in relatively limited systems. Both, of course, have
the capability to affect operations well outside of their control domain. There
are probably thousands of these limited use control systems in use. I would bet
that because the organizations producing them do not have large software
development shops that there concerns with security programing are relatively
limited.
I suppose that it is a sign of the increased interest in ICS
security that vulnerabilities in limited application systems like these are
starting to be addressed by security researchers. It is especially heartening
in this instance to see a Alstom Grid self-reporting their vulnerability. That
they detected it in-house is a good sign in and of itself. That they reported
it to ICS-CERT is always a good thing.
Posts
No comments:
Post a Comment