This afternoon the DHS ICS-CERT published an advisory for
Westermo switches. They also announced registration and request for papers for
the Spring 2016 ISJWG meeting.
Westermo Advisory
This advisory describes
a hard-coded certificate vulnerability in Westermo Ethernet switches. The
vulnerability was reported by Neil Smith. ICS-CERT reports that Westermo has
produced a firmware update that mitigates the vulnerability. Smith have
verified the efficacy of the fix.
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit this vulnerability after conducting a successful
man-in-the-middle attack to obtain authenticated access to the device.
Later in the advisory ICS-CERT reports that: “Westermo is
working on an update to automate the changing of the key, which will be
published on its web site as soon as it is ready.” The advisory then provides a
work around for changing the hard-coded SSL certificate. There is nothing about
this vulnerability on the public portion of the Westermo
web site. The latest
version of the WeOS on that website is 4.18.0 (released this month) which
according to the advisory is an affected version. So, apparently the fix that
Smith validated is the workaround.
ICSJWG Spring Meeting
I reported in an earlier blog post that the date for the
Spring 2016 ICSJWG meeting had been set for May 3rd thru 5th.
Today ICS-CERT announced
that the registration for that meeting was now open. You can register on-line
here and there is still no cost to attend the meeting. Registrations should
be completed by April 28th, 2016.
ICS-CERT also published a call
for abstracts for that meeting. They are looking for four types of
presentations:
• Presentation;
• Panel;
• Demonstration;
• Lightning round
Posts
No comments:
Post a Comment