Today the DHS ICS-CERT took the unusual step of publishing an
advisory for multiple vulnerabilities that are not acknowledged by the
vendor; OleumTech. As a result no
patches or updates appear to be forth coming as a result of this coordinated
disclosure. The disclosures were made by Lucas Apa and Carlos Mario Penagos
Hollman of IOActiv.
ICS-CERT reports that the vulnerabilities include:
• Improper input validation
vulnerability - CVE-2014-2360
– could lead to a DOS attack and arbitrary code execution;
• Key management errors - CVE-2014-2361
– local access could lead to intercepting site security key;
• Use of cryptographically weak
pseudo-random number generator - CVE-2014-2362
– 4-byte key could be guessed relatively easily.
ICS-CERT notes that an additional vulnerability reported by
IOActive, unencrypted data messages, may be considered a user configuration
issue since encryption options are available at setup. ICS-CERT reports that
OleumTech does not accept the encryption issues as problems since they intended
the functions to address authentication issues not encryption. OleumTech does
not address the issues on their web site so ICS-CERT feels justified in
publishing this advisory to alert owners to the vulnerabilities.
Posts
No comments:
Post a Comment