ICS-CERT Updates Advantech Advisory and Publishes New Advisory

The afternoon the DHS ICS-CERT updated the Advantech advisory that they published last week. Additionally a new advisory was published for vulnerabilities in an Adcon telemetry gateway.

Advantech Update

This update corrects the name of the researcher who reported the vulnerability in an uncoordinated disclosure. The researcher is now being reported as HD Moore. The confusion apparently arose because Tod Beardsley authored the blog post that publicly disclosed the vulnerability, but even that post credited HD Moore with the discovery.

Adcon Advisory

This advisory describes multiple vulnerabilities in the Adcon Telemetry A840 Telemetry Gateway Base Station. The vulnerabilities were reported by Aditya K. Sood. Adcon has contacted all known customers to offer an upgrade to a more secure and stable version. There is no indication that Sood has verified that the newer version is free of the indicated vulnerabilities.

The vulnerabilities are:

• Hard-coded credentials - CVE-2015-7930;

• Improper authentication - CVE-2015-7931;

• Clear text transmission of sensitive information - CVE-2015-7932; and

• Information exposure - CVE-2015-7934

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to gain administrative access to the target.

The reason for the unusual mitigation measure is that Adcon describes the affected device as obsolete and no longer supports the device.