Yesterday afternoon the DHS ICS-CERT updated the Moxa Alert
that was originally
released on April 8th. ICS-CERT reports changes in three areas
of the Alert, the summary section, the list of affected equipment and the
mitigation section. As was true with the original release, there is some
controversy associated with this revision of the alert.
Changes in Summary
First the update removes a general description of the uses
of the affected equipment from the Summary. Then it removes the statement that:
“The researcher released the report after initially coordinating with the
vendor.” Finally, it provides updated information from Moxa confirming all five
of the vulnerabilities reported by Digital
Bond LABS instead of the just 3 of 5 confirmed in the original Alert. The
Alert still does not list DBLABS as the source of the public report of the
vulnerabilities.
The removal of the initial coordination statement appears to
be a political move by ICS-CERT to minimize the issue that Moxa still does not
plan on issuing a fix to the problems until ‘late August 2016’. The revised
language makes it look like Moxa was blindsided by the April 5th
report and are diligently working on a firmware update. They may be working on
an update now, but the DBLABS report provides a timeline showing that Moxa was
notified of the vulnerabilities on July 24th, 2015.
Changes in Products Affected List
The revised Alert reformats and expands the list of affected
Moxa NPort devices affected by the five vulnerabilities. It also indicates that
Moxa acknowledges the defect in the new list of affected devices. The DBLABS
report suggested that more devices than they originally reported were probably
affected by the vulnerabilities, acknowledging that the ones listed in the
report were the only ones that they had tested.
Interestingly, some of the devices tested by DBLABS do not
appear on the revised list of affected devices. These include Moxa NPort
6150/6250/6450/6610/6650, firmware release 1.13. Also interesting to note is
that DBLABS was careful to list the firmware versions of the devices they
tested and there are no version numbers on the revised list in this update.
This indicates that the problem is nearly universal across the NPort product
line.
Changes in Mitigation
The third section of changes to the Alert actually over laps
mitigation section heading and includes the last two paragraphs from the
summary section. Changes were made in those two paragraphs as well. First the
new version eliminates the list of affected port numbers provided by DBLABS.
Second it removes the description of the uses of the affected NPort devices.
That description had stated that:
“The Moxa NPort 6110 device is a
Modbus/TCP to serial communication gateway that integrates Ethernet and serial
Modbus devices. The Moxa NPort 5100 series and 6000 series devices are serial to
Ethernet converters that can be used to connect serial devices to an Ethernet
network.”
The changes in the mitigation section of the Alert deal
mainly with the fact that Moxa now acknowledges all five of the reported
vulnerabilities and reports that the expected August update will mitigate all
five. Moxa continues to report that it will not be updating the firmware for
the NPort 6110 since that was discontinued in 2008.
Finally, ICS-CERT removed the statement that: “Password
protecting the configuration file for the NPort 5100 and 6000 series devices
has been reported by the vendor to prevent the upload of unauthorized binary
files to the device.” It has been replaced with the more generic and even less
helpful (but more truthful): “Set up access control to affected devices to
prevent any unauthorized access.”
The Controversy
While it appears that this update was a political response
to satisfy the sensibilities of Moxa, or maybe minimize the concerns of the
owners of the NPort devices, it did nothing to sooth the outrage of the
investigators who had attempted to ‘properly’ coordinate their disclosure of
these very serious vulnerabilities with the vendor.
Last night there was an interesting exchange of TWEETS®
between Reid Wightman (@ReverseICS)
the author of the original DLABS report and Dale Peterson (@digitalbond) the owner of Digital
Bond. Now admittedly, Dale and Reid are very vocal (and persuasive) complainers
about insecure by design ICS devices (which might legitimately include the
noted overwrite firmware vulnerability), but insecure passwords, buffer
overflow, cross-site scripting and cross-site request forgery vulnerabilities
are just plain, old-fashioned, sloppy programming problems. And taking over a
year to correct that crappy programming is just unforgiveable.
I am more than a little concerned that the ICS-CERT alert
continues to ignore two very important points made in the DBLAB report. First
the fact that Moxa serial converter devices were targets in the December
cyberattacks on the Ukraine grid and that they were bricked by over-writing the
firmware. Second that DBLABS has shared at least one report of a live exploit of
an NPort device with Moxa.
Finally, the mitigation measures mentioned in the Alert are
totally inadequate to provide any sort of protection of these devices in the
field. And that is totally inexcusable since the DLABS report provides detailed
mitigation measures based upon the vulnerable ports (again those port
designations were removed from the alert). If the list of the vulnerable ports
had not been removed from the Alert, ICS-CERT might have been forgiven for not
quoting the DLAB mitigation suggestions, but they did and I’m not.
I have been a champion in this blog of the vulnerability coordination
activities of ICS-CERT, even suggesting that they be made responsible for
coordination activities for NHTSA, the FAA, and the FDA. With blatant industry
pandering like this alert update, I think that I am going to have to re-think
that position.
Posts
No comments:
Post a Comment