Today the DHS ICS-CERT published an updated version
of their advisory on the Network Time Protocol vulnerabilities. This is a
fairly extensive update with five separate areas of the advisory being revised.
The revisions deal with:
● The scope of the
covered systems;
● The scope of the vulnerabilities;
● Additional background
information;
● Additional mitigation
information; and
● A link to a new
document on best practices for using time reference services.
Scope
Changes
ICS-CERT acknowledges in this new version that a
number of vendor systems will be affected by this open source vulnerability.
They note that they are working with vendors to determine which systems are
specifically vulnerable. They will be publishing a supplement to this advisory
that provides additional information on affected systems and unique mitigation
measures.
In a rather unusual move ICS-CERT has added two new
vulnerabilities to this advisory. They are:
● Authentication bypass
by spoofing - CVE-2014-9297;
and
● Improper check for
unusual or exceptional conditions - CVE-2014-9298
Best
Practices
This best
practices document is interesting in a lot of ways. First off it has no
organizational markings on it and it is prominently labeled “Unclassified”.
This kind of leads me to believe that it may be a military document. There is a
reference on page one to notifying the Coast Guard in case of a problem with a
GPS signal.
About half of the document deals with GPS issues,
about 1/3 deals with NPT issues and the remaining space is taken up with a
discussion of Cessium clock issues and Time and Frequency Distribution System
considerations.
Systemic
Issues
We are seeing an increasing number of systemic vulnerabilities
in industrial control systems that affect products from a number of vendors.
These type issues make it easier for a serious attacker to develop tools that
would be effective across a wide range of control system platforms. This would
make things easier for people developing cyber-warfare weapons. A pretty sound argument
could be made that a large portion of the ICS-CERT assets should be focused on
these types of issues. Advisories of this sort (and the promised future updates
and supplements) show that ICS-CERT is taking this type of issue seriously.
Whether it is seriously enough, only time will tell.
Posts
No comments:
Post a Comment