Today the DHS ICS-CERT updated a control system advisory for
Wind River VxWorks that was originally
published in June. It also published a new advisory for Advantech’s
EKI-122X series products.
Wind River Update
This update provides
updated information on the systems affected by the vulnerability and the
mitigation measures available for Wind River devices. There is no mention of
any changes in mitigation measures for Schneider products and there are no new
vendors added to the list using the vulnerable VxWorks embedded software.
Three versions of VxWorks Cert have been added to the list
of affected products. The Schneider Electric Sage 2300 RTU and SAGE LANDAC2
Upgrade Kit have also been added. The Schneider
advisory on this vulnerability is not currently available on-line.
Patches are now available for more of the affected products,
but Wind River is recommending that owners upgrade to newer versions that are
not affected by the vulnerability.
VxWorks Commentary
It seems a bit odd to me that ICS-CERT has not yet
identified any other vendors that are using the vulnerable VxWorks firmware. I
suppose that they may know of some, but are waiting for word that a patch is
available.
It sure would be nice if there were some simple test that
could be performed by an owner to see if their RTU’s were subject to the TCP
predictability vulnerability. Of course, since a facility may have a large
number of RTU’s, the test would have to be very quick for anyone to use it in
practice.
Advantech Advisory
This advisory describes
a hard-coded SSH key vulnerability in the Advantech EKI-122X series products.
The vulnerability was first reported by Neil Smith. Advantech has produced a
new firmware version that mitigates the vulnerability, but there is no
indication that Smith has been provided an opportunity to verify the efficacy
of the fix.
ICS-CERT reports that a relatively low-skilled attacker
could remotely exploit this vulnerability to intercept communications to and
from the device.
Posts
No comments:
Post a Comment