This afternoon the DHS ICS-CERT published a control systemadvisory for the Exemys Telemetry Web Server. The login bypass vulnerability described
in the advisory was reported by Maxim Rupp. ICS-CERT reports that Exemys “has
not produced a patch to mitigate this vulnerability”.
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit this vulnerability to access information on the server.
The only unique mitigation measure for this vulnerability
comes from ICS-CERT with no clear instructions on how to effect the proposed
measure. The measure that ICS-CERT recommends is:
“ICS-CERT recommends implementing a
single point login that cannot be bypassed.”
It is unusual for ICS-CERT not to be at least a little more
forthcoming about why there is not now (and presumably won’t be in the near
future) a vendor provided patch or upgrade. While Exemys is headquartered in
Argentina, there is no mention of difficulties contacting the organization or
that they disagree with the reported vulnerability. A dispassionate observer
would probably be excused for assuming that Exemys is not concerned about the
existence of this vulnerability.
Posts
No comments:
Post a Comment