Today the DHS ICS-CERT published a control system
advisory for a weak pseudo random number generator (PNRG) in ProSoft
Technology RadioLinx ControlScape products. The vulnerability was reported by Lucas
Apa and Carlos Mario Penango Hollman, with IOActive in a coordinated
disclosure.
ICS-CERT reports that a moderately skilled attacker could
remotely exploit this vulnerability to generate system passwords. ProSoft has
produced a
patch (WARNING: this is a link to an .EXE file) that reportedly mitigates
this but there is no indication that the efficacy has been verified by the
IOActive researchers. ProSoft has provided a suggestion for making the current
password generation system more secure without the upgrade;
“Changing the default ‘seed’
passphrase will greatly increase the entropy of passphrase generation process.”
Posts
No comments:
Post a Comment