Today the DHS ICS-CERT published two new control system
advisories for systems from Sinapsi and N-Tron.
Sinapsi Advisory
This advisory
describes a plain text password vulnerability in the Sinapsi eSolar Light
application. The vulnerability was disclosed by Maxim Rupp. Sinapsi had
produced a new version that mitigates the vulnerability but there is no
indication that Rupp has been provided an opportunity to verify the efficacy of
the fix.
ICS-CERT reports that a relatively unskilled attacker with
local system access could exploit this vulnerability to gain system passwords.
ICS-CERT reports that the updated version is available by
contacting Sinapsi on their web site.
ICS-CERT does not provide a link to the web site.
Interestingly an earlier
ICS-CERT alert for separate Sinapsi eSolar Light vulnerabilities indicates
that this product had also been sold under the names Enerpoint eSolar Light,
Schneider Electric Ezylog Photovoltaic Management Server, Gavazzi Eos-Box, and
Astrid Green Power Guardian. I suspect that at least some versions of those
products might be affected by this vulnerability as well.
N-Tron Advisory
This advisory
describes a hard-coded encryption key vulnerability in the N-Tron 702-W
Industrial Wireless Access Point device. The vulnerability was reported to
ICS-CERT by Neil Smith of ZeroFox. ICS-CERT reports that:
“N-Tron has been notified of this
reported vulnerability, and NCCIC/ICS‑CERT has not been able to successfully
coordinate this issue with N-Tron or Red Lion because of the vendor’s
unresponsiveness. ICS-CERT is unaware of any fix, patch, or update by N-Tron
that mitigates this vulnerability. This advisory is being published to inform
critical infrastructure asset owners of the risk of using this equipment and
for them to increase compensating measures if possible.”
Posts
No comments:
Post a Comment