This afternoon the DHS ICS-CERT published an advisory for an
insufficient entropy vulnerability in Moxa’s OnCell Gateways, cellular IP
gateways. The vulnerability was reported by Nadia Heninger (UCSD) and Zakir Durumeric,
Eric Wustrow, and J. Alex Halderman (UM) in a coordinated disclosure.
ICS-CERT reports that a highly skilled attacker could
remotely exploit this vulnerability to gain unauthorized access to the system.
Moxa has produced a firmware upgrade that mitigates the vulnerability, though
there is no indication in the Advisory that anyone outside of Moxa has verified
the efficacy of the upgrade. Actually Moxa released the upgrade in early April,
2013 and has been notifying their customers of the situation.
ICS-CERT provides their standard tactics for protecting
control systems (avoiding internet exposure, locate devices behind firewalls,
use VPNs for remote access etc). What is missing is any mention of dealing with
cellular access, particularly important when the vulnerable system is used for
connecting devices to a cellular network.
Posts
No comments:
Post a Comment