This afternoon the DHS ICS-CERT published an
advisory for dual improper input validation vulnerabilities in the Schweitzer
Engineering Laboratories’ (SEL) real-time automation controllers (RTAC). The
vulnerabilities were reported by Adam Crain of Automatak and Chris Sistrunk in
coordinated disclosures.
ICS-CERT reports that these vulnerabilities (one for serial
connections and a separate one for IP-based
connections; NOTE links will not work for a day or two) could be remotely exploited
by a moderately skilled attacker, executing a denial of service attack. SEL has
developed a CD-ROM based upgrade packet to mitigate the vulnerabilities.
ICS-CERT reports that Crain and Sistrunk have validated the efficacy of the
upgrades.
I tried to review the SEL information on these
vulnerabilities, but it was not directly available on their web site. Instead
SEL allows people with corporate email accounts to sign up
to receive distributed information on SEL security notices. Anyone owning any
SEL control system equipment should sign up for this service.
Posts
2 comments:
SEL gets top marks for their handling. Very professional. The notified customers prior to the ICS-CERT advisory with the appropriate information.
Thanks for the insight Adam. I was slightly disappointed that their advisory wasn't posted on their site (like Siemens does), but if sending it directly to the user makes lots of sense. I just hope that their sales staff is pushing customers to sign up for the service.
Post a Comment