ICS-CERT Publishes 3 Advisories

This morning the DHS ICS-CERT published three control system advisories for systems from Ecava, Accuenergy, and Sierra Wireless.

Ecava Advisory

This advisory describes multiple vulnerabilities in the Ecava IntegraXor application. The vulnerabilities were independently reported by Steven Seeley of Source Incite and Marcus Richerson. Ecava has produced a new version to mitigate the vulnerabilities. Richerson has tested the new version and verified that it fixed all but one (partially fixed) of the vulnerabilities; Ecava will address that in their next release.

The eight vulnerabilities include:

• Clear text transmission of sensitive information - CVE-2016-2306;

• Cross-site scripting - CVE-2016-2305;

• Improper neutralization of alternate XSS syntax - CVE-2016-2304;

• Improper authorization - CVE-2016-2300;

• SQL injection (2) - CVE-2016-2299 and CVE-2016-2301;

• Information exposure - CVE-2016-2302; and

• Improper neutralization of CLRF sequences in HTTP headers - CVE-2016-2303

ICS-CERT reports that a relatively unskilled attacker could remotely use publicly available exploits to gain complete control of the system.

The Ecava vulnerability note does not mention that one of the vulnerabilities is only partially corrected. Nor does it mention the role of Steven Seeley.

NOTE: There is a minor error in the ICS-CERT advisory. The print version of the link has an incorrect version number (5.0.4522.2 instead of 5.0.4525.2), but the actual link goes to the correct place.

Accuenergy Advisory

This advisory describes twin vulnerabilities in the Accuenergy Acuvim II Series AXM-NET module. The vulnerabilities were reported by Maxim Rupp. Accuenergy has developed suggested user mitigations and there is no indication that a fix is planned for the vulnerabilities.

The vulnerabilities are:

• Authentication bypass issues - CVE-2016-2293; and

• Plain text storage of passwords - CVE-2016-2294

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to execute a denial of service attack on the meter.

The Accuenergy suggested mitigations are very broadly painted instructions designed to deny unauthorized access to the meter. They include the use of firewalls, authentication, and VPN use. No specific information for the use of these techniques with this equipment is provided.

Sierra Wireless Advisory

This advisory describes a file and directory information exposure vulnerability in the Sierra Wireless ACEmanager application. The vulnerability was reported by Maxim Rupp. Sierra Wireless has produced a new version that mitigates the vulnerability, but there is no indication that Rupp has been provided the opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to  learn operational characteristics of the gateway.