I got an interesting email this weekend from a reader (I don’t
yet have permission to use reader’s name, so we’ll just leave it at reader for
the moment), Neil Smith (the researcher who is credited with reporting the vulnerability) about the recent ICS-CERT Advisory on the Advantech EKI-122X series
products that I
discussed last week. The reader Neil had some comments on the mitigation
measures outlined in the Advisory.
The Advisory explained the mitigation measures this way:
“Advantech released new firmware in
October 2015 to mitigate this vulnerability. For the EKI‑122* BE
(v1.65) and EKI-136* (v1.27) product lines, HTTPS and SSH is disabled. For the
EKI‑132*
(v1.98) product line, additional configurations were added to allow
customization for the HTTPS and SSH keys.”
The reader Neil notes that “HTTPS and SSH is disabled” means that
the Advantech is “reverting back to plaintext device configuration by default,
and leaving it up to the end user to configure SSL/SSH with their own keys”.
Since there is no publicly available documentation for these
firmware updates, I have no way of knowing if Advantech has made this clear to
the users.
It seems to me that this is actually a step backwards (if
Advantech has not made this clear) in that, without additional owner/integrator
actions, it will be even easier to make unauthorized changes to these Modbus
gateways than it was before the update was installed. At least with the
original firmware, you had to know the hardcoded password.
In closing his email the reader Smith wanted me to remind readers
that “if a user updates to the latest firmware, they need to double check these
services are turned back on and make sure their own certs/keys are being used”. [Updated with 'reader' name - 11-9-15, 21:05 CST]
No comments:
Post a Comment