ICS-CERT Publishes Two Advisories

Today the DHS ICS-CERT published two control system advisories for products from Harmon AMX and B+B SmartWorx. Note: In January Advantech acquired B+B SmartWorx for $99.85 million.

AMX Advisory

This advisory describes dual credential management vulnerabilities in a wide variety of Harman AMX multimedia devices. The advisory does not credit the research team (SEC Consult) that reported the vulnerabilities even though it was a coordinated disclosure. ICS-CERT notes that this had previously been publicly disclosed (for example see ars technica). AMX has produced patches or updates for some of the products covered and the remainder are in progress. SEC Consult was not provided an opportunity to verify the final fixes.

There are two separate vulnerabilities reported, but they apply to different lists of affected products. They are both listed as credential management vulnerabilities with separate CVE number: CVE-2015-8362 and CVE-2016-1984.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities with publicly available exploits to gain system access with elevated privileges.

There is an interesting blog post about these vulnerabilities from SEC Consult. Long live S.H.I.E.L.D.

BTW: Vulnerable devices are apparently used at the White House.

SmartWorx Advisory

This advisory describes an authentication bypass vulnerability in B+B SmartWorx VESP211 serial servers. The vulnerability was reported by Maxim Rupp. SmartWorx is still in the process of mitigating this vulnerability.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to perform administrative functions on the network without authentication.

Advantech recommends only deploying the affected devices behind a firewall while further mitigation measures are developed.

NOTE: The CVE number is a 2016 based number, ICS-CERT is reporting this without real mitigation in place and there are no publicly available exploits. Something odd is going on here. ICS-CERT usually holds off announcing a vulnerability until at least some mitigation measures are in place unless the vendor response is slow played. The CVE number would seem to indicate a recent report….