This afternoon the DHS ICS-CERT published to control system
advisories for products from Honeywell and SearchBlox.
Honeywell Advisory
This advisory
describes two vulnerabilities in the Honeywell Midas gas detector. The
vulnerabilities were reported by Maxim Rupp. Honeywell has produced new
firmware versions to mitigate the vulnerabilities, but there is no indication
that Rupp was provided the opportunity to verify the efficacy of the fix.
The two vulnerabilities are:
• Path traversal - CVE-2015-7907;
and
• Clear text transmission of sensitive information - CVE-2015-7908.
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit these vulnerabilities to make unauthorized configuration
changes to the device.
This advisory was originally released to the US CERT Secure
Portal on November 5, 2015. Again, if you were authorized access to the Secure
Portal (see the bottom of the ICS-CERT landing
page for instructions on how to request access) you could have already
applied the new firmware to your detectors.
Note: The link in the ICS-CERT advisory for the Honeywell
Security Notice is incorrect. It should be: http://www.honeywellanalytics.com/en/support/product-notifications/midas-security-notification-firmware-update-available
SearchBlox Advisory
This advisory
describes an information exposure vulnerability in the SearchBlox web-based
proprietary search engine application. The vulnerability was reported by Oana
Murarasu of Ixia. SearchBlox has developed a new version that mitigates the vulnerability,
but there is no indication that Murarasu has been provided the opportunity to
verify the efficacy of the fix.
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit this vulnerability to export of the config file without admin
login, overwrite the config file without admin login, and add or delete
(nonadmin) users.
Missing Alert?
I was really expecting to see ICS-CERT publish an alert
today on the Advantech EKI vulnerabilities that were reported
on Tuesday by Rapid7, especially since there is already a Metasploit
module available for the vulnerabilities. The reason might be that these
are actually ‘old’ vulnerabilities (Heartbleed, Shellshock and a previously
reported buffer overflow) that apparently made their way back into the firmware
update for the
latest ICS-CERT reported advisory (ISCA-15-309-01).
1 comment:
Cyber Terrorism or Cyber Attack: How Can Critical Infrastructure Operators Tell the Difference ?
How can BES generation or distribution system owners tell when their SCADA/ICS systems are the victims of a cyber attack or cyber terrorism? Congress and the Regional Entities, along with NERC and FERC, have as yet not agreed to provide an answer to this question despite the need for such an answer as a guide to both policy and compliance guidance.
Congress is expressing concern the nation's electrical grid remains vulnerable to cyber attacks and progress to reduce it is too slow as reports of increasingly sophisticated attacks are being launched by a spectrum of "actors". FERC recently announced it will conduct its' own audits of the electrical industry's compliance with NERC's security standards (CIP V5) in 2016: a move many believe signals FERC, by bypassing NERC's audits, shares Congress' concerns (and frustration) the industry has not reported more progress since the standard's release over two years ago.
While a distinction between "cyber terrorism" and "cyber attack" may at first appear a matter of semantics, some observers define “Cyberterrorism” as an attack having the same impact as a
bomb, or other chemical, biological, radiological, or nuclear explosive (CBRN) weapon where loss of life, property damage and injuries occur. Others disagree and believe the effects of a widespread attack against critical infrastructure have unpredictable consequences and enough potential for economic disruption, fear, and civilian deaths, to qualify as terrorism.
The distinction has serval policy dimensions and implications. Specifically should a FEMA-like government agency be chartered to assist critical infrastructure sectors with recovery after a ‘cyber terror’ attack occurs? Such an agency, if chartered' would give the electrical industry a safety net and provide an upper limit on their assessment of risks and where to focus their efforts
Post a Comment