Today the DHS ICS-CERT published two control system
advisories; one for an encryption vulnerability in the Schneider Electric Trio
J-Series Radios and one for an input validation vulnerability in the Software
Toolbox TOP Server DNP Master OPC product.
Schneider
Vulnerability
This advisory
concerns a self-reported hard-coded encryption key vulnerability (NOTE: The Schneider
web site reports that this vulnerability was reported by an unnamed
security researcher). Some versions of the firmware in the Trio J-Series
License Free Ethernet Radio does not properly generate an AES encryption key. Schneider
reports that simply upgrading to a newer version of the firmware does not
necessarily correct the problem.
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit this vulnerability to take control of the communications
network and the control system attached to it. Schneider reports that they have
updated firmware, that properly applied, will mitigate the problem. There is no
indication that the original researcher has validated the update.
NOTE: Schneider identified this problem and solution in May
and posted it on their web site on August 8th. That delay was almost
certainly due to attempting to notify customers of the problem. The delay in
the ICS-CERT reporting of this issue is not explained.
TOP Server
Vulnerability
This advisory
concerns an improper input validation vulnerability on the TOP Server DNP Master
OPD product identified by Adam Crain and Chris Sistrunk. Oh, hell, just read my
Kepware
blog post of last week; this advisory is for the same vulnerability in the
same system, it’s just marketed under a different label. Adam pointed this out
to ICS-CERT but they would not add it to the earlier advisory. Adam and Chris
get credit for another coordinated disclosure because they pushed ICS-CERT to
publish this advisory so that the TOP Server owners would understand that this vulnerability
applied to them.
This is an ongoing problem with hardware, software and
firmware sold under different names or included in other systems. As more of
these types of vulnerabilities are reported blackhats will begin to realize
that systems are vulnerable because owners don’t realize that available patches
and upgrades apply to their equipment. ICS-CERT needs to step up and be
proactive in these types of situations and not have to be pressured into acting
by concerned researchers.
BTW: The Project Robus web site takes credit
for this advisory and reports that there are now 17 disclosures pending.
Posts
No comments:
Post a Comment