ICS-CERT – Two Advisories

Yesterday afternoon the DHS ICS-CERT published two advisories on its web page. One is a second update for a very old (2011) advisory for an Advantech/Broadwin WebAccess RPC Vulnerability. The second is for multiple vulnerabilities in the Sierra Wireless AirLink Raven X EV-DO application. The response from both vendors is less than adequate and misleadingly documented in the advisories.

WebAccess Update

This advisory traces back to an original alert on March 23, 2011 from ICS-CERT based upon an RPC vulnerability initially reported by Ruben Santamarta in a coordinated disclosure that was not validated by Broadwin. As a result Ruben publicly released exploit data for the vulnerability resulting in the ICS-CERT Alert.

In April Broadwin acknowledged the vulnerability and ICS-CERT published an advisory stating that it was working with Broadwin to produce an appropriate patch.

Then in November, 2011 ICS-CERT published an advisory update for the vulnerability that restated the data available in the original alert along with the information that: “Advantech/BroadWin has notified ICS-CERT that a patch will not be issued to address this vulnerability.”

Today’s advisory update announces that Advantech “has provided a free version upgrade that mitigates this vulnerability for any licensed user of any previous version of WebAccess”. This is certainly good  (if dangerously belated) news for any owners that still have these systems in service.

Interestingly today’s update notes that the vulnerability applies to any any version of WebAccess prior to Version 7.1 2013.05.30. I don’t know for sure, but that number seems to indicate that Advantech continued to produce vulnerable versions up until May 30^th, of last year.

This is obviously a company that cares about ICS security (SARCASM Alert). This is reinforced by not mentioning security issues in the latest version of its WebAccess product data sheet.

Sierra Wireless Advisory

This advisory notes that a researcher from Cimation had identified dual vulnerabilities in the Raven EV Do wireless communications module that would allow a relatively unskilled attacker to remotely reprogram the firmware on the devices. The vulnerabilities include:

• Missing encryption of sensitive data, CVE-2013-2819; and

• Authentication bypass by capture-replay, CVE-2013-2820

NOTE: The CVE links will become active in a couple of days.

The Advisory notes that “Sierra Wireless has discontinued the AirLink Raven X EV-DO and recommends that customers use GX400, GX440, or LS300 as replacements that mitigate these vulnerabilities”. Following the Sierra Wireless link provided in the advisory I can find the statement for ‘other global’ wireless providers that “Product Status: Discontinued, still supported”, but no mention of a recommendation to switch to other devices.

None of the pages for Raven X EV-DO devices used with Telus, Sprint, Bell Mobility, Alltell, and Verizon wireless services indicate that the device has been discontinued or include any mention of this very serious security concern. This is a problem since those pages list the same firmware version numbers identified in the advisory.

In other words, we have another ICS device vendor that does not appear to take cybersecurity concerns very seriously.