Tuesday, July 22, 2014

ICS-CERT Obscures Publication of Two Advisories

This afternoon the DHS ICS-CERT published two control system advisories on their web site. For some reason, probably an oversight, they did not list the two advisories on the landing page of their web site. They were reported on TWITTER® (here and here) and are listed on the Advisories page of their web site. The advisories report multiple vulnerabilities in systems from Omron and Honeywell.

Omron Advisory

This advisory describes vulnerabilities reported by Joel Sevilleja Febrer of S2 Grupo with Omron’s NS series HMI terminals. ICS-CERT reports that Omron has produced an update that mitigates the vulnerabilities, but there are no indications that Sevilleja has had the opportunity to verify the efficacy of the effort.

The twin vulnerabilities are:

• Cross-site request forgery - CVE-2014-2369; and
• Cross-site scripting - CVE-2014-2370.

ICS-CERT reports that it would take a moderately to highly skilled attacker to remotely exploit these vulnerabilities. The advisory provides separate links to the new versions of each affected system. Interestingly, I can find no mention of the updated versions or the security issues requiring the update at the links provided.

Honeywell Advisory

This advisory describes vulnerabilities reported by Martin Jartelius of Outpost24 and Juan Francisco Bolivar in the Honeywell Falcon XLWeb controller. ICS-CERT reports that Honeywell has produced an update that deals with both vulnerabilities, but there is no indication that the researchers have been given the opportunity to verify the efficacy of the fix.

The twin vulnerabilities are:

• File accessible to external parties - CVE-2014-2717; and
• Cross-site scripting - CVE-2014-3110.

ICS-CERT reports that a moderately skilled attacker could remotely exploit these vulnerabilities. Honeywell’s report on these vulnerabilities is only available to registered owners.

NOTE: This advisory was previously posted to the US-CERT Secure Portal. Once again, I urge all control system owner, integrators and security researchers to register for access to this portal for valuable advance notice of advisories like this.

No comments:

/* Use this with templates/template-twocol.html */