Today the DHS ICS-CERT published two new HART-DTM
related advisories, updated the CodeWrights HART-DTM advisory, updated the NTP
Advisory and published their promised NTP supplement. It was a busy information
afternoon for ICS-CERT.
NTP
Information
The third update
to the ICS-CERT advisory on the NTP vulnerabilities was simply a change to add
a link to the promised supplement addressing vendor specific information about
how those vulnerabilities are implemented in specific products. That Supplement
currently lists affected products (and mitigation measures) from/for the
following vendors:
● Arbiter
Systems;
● Innomoninate;
● Meinberg;
● Siemens; and
● Wind River System;
The Supplement does not currently list reportedly
unaffected products. Updates to this Supplement are expected.
HART-DTM
Information
The third update to the CodeWrights HART-DTM
advisory provides some new information about affected systems, including adding
Honeywell to the list of potentially affected vendors. Interestingly GE-MAKTec
was not included on the list even though ICS-CERT published an advisory about
their HART-DTM vulnerabilities today. The Update has also provided links to ICS-CERT
advisories for Emerson,
Honeywell,
Magnetrol,
and Pepperl+Fuchs.
There is some additional clarification about the
potential impact of successful exploits of this vulnerability. ICS-CERT notes
that it only affects the Field Device Tool (FDT) Frame Application. Since that
application is only used for configuration changes, ICS-CERT reports that a
successful exploit “does not result in loss of information, control, or view by
the control system of the HART devices on the 4-20 mA HART Loop”.
ICS-CERT continues to emphasize how difficult it
would be to craft an exploit for this vulnerability. Interestingly, they have
removed the comments about compromised physical access to the 4 mA to 20 mA
current loop. They emphasize that an exploit is possible from “any adjacent
network that receives or passes packets from the HART Device DTM”.
The new advisories for Pepperel+Fuchs
products and products from GE and MAKTec
(GE provides the DTM software for the MAKTec Bullet Adapter DTM according to a GE
Advisory) provide basically the same information as the current CodeWrights
advisory.
Consistency
of Information Sharing
It seems odd that ICS-CERT is issuing individual
advisories for vendors affected by the HART-DTM vulnerability but issues a
supplement for the advisory that lists those affected by the DTP vulnerability.
In most ways it really does not make a difference which process ICS-CERT uses
and they are under no mandate or obligation to maintain any sort of consistency
in their methodology.
Having said that the multiple advisory process being
used with the HART-DTM vulnerability does present a problem. The two advisories
issued today share the same language as that found in the current version of
the CodeWrights advisory. The Emerson and Magnetrol advisories share the
language with the previous version of the CodeWrights advisory. This means that
ICS-CERT really should have offered updates of those two advisories today as
well. And when the next change takes place, they will have to update all five
advisories (plus any others issued in the interim). Using the DTP
advisory/supplement model, only one advisory needs to be updated when
information on the base vulnerability changes.
Posts
No comments:
Post a Comment