This afternoon the DHS ICS-CERT published an
advisory for an authentication vulnerability in the Yokogawa Centum 3000
series. The vulnerability was initially reported by Tod Beardsley of Rapid7 in
a semi-coordinated disclosure. It was initially disclosed to Yokogawa (May 1st
according
to Rapid 7), CERTS (June 25th; presumably Japan-CERT and
ICS-CERT?). The semi comes from the publication of a Metasploit module on
August 9th and a Defcon
presentation at about the same time. No word why ICS-CERT did not produce an
alert at that point particularly since it appears that Yokogawa probably had
interim mitigation measures available at that time. It could be that Yokogawa,
not ICS-CERT was responsible for that decision.
NOTE: The ICS-CERT advisory gives co-discovery
credit to Jim Denaro of CipherLaw. According to the Rapid 7 post about this
vulnerability it sounds like Denaro was providing legal advice, not technical
involvement in discovering the vulnerability.
ICS-CERT reports that a relatively unskilled
attacker could use the publicly available exploit to remotely leak the CENTUM
project database location, read and write arbitrary files,
Yokogawa expects to publish patches for the affected
projects by the end of this month. The Advisory provides information on interim
mitigation strategies.
There is an interesting comment in the Yokogawa
report on this vulnerability (pg 2) that did not make it into the ICS-CERT
advisory:
“When Yokogawa service
personnel perform updating the revision and application the software patch, those
charges are borne by the customer.”
I’m hoping that it lost something in translation,
but it sure sounds like if Yokogawa has to send out a rep to install their
patches, the system owner is going to pay for that service.
Posts
No comments:
Post a Comment