Tuesday, May 17, 2016

ICS-CERT Publishes Two Advisories

This morning the DHS ICS-CERT published two control system advisories for products from Moxa and iRZ. The Moxa advisory was previously published on the US-CERT Secure Portal. I also mention some additional vulnerability news.

Moxa Advisory

This advisory describes five vulnerabilities in the Moxa ECRG903 secure routers. The vulnerabilities were reported by Maxim Rupp. Moxa had developed a new firmware version that mitigates the vulnerabilities. There is no indication that Rupp was provided the opportunity to verify the efficacy of the fix.

The five vulnerabilities include:

• Privilege escalation - CVE-2016-0875;
• Plaintext storage of password - CVE-2016-0876;
• Memory leak - CVE-2016-0877;
• Denial of service - CVE-2016-0878; and
• Unauthenticated file download - CVE-2016-0879

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to escalate privileges, initiate a denial-of-service condition, and execute arbitrary code.

iRZ Advisory

This advisory describes a firmware overwrite vulnerability in the iRZ RUH2 serial-to-Ethernet interface. Apparently this is a self-reported vulnerability though ICS-CERT reports that an exploit is publicly available. iRZ no longer supports this device so no mitigation measures will be forth coming.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to upload new firmware to the device.

Other Vulnerability Notes

I had an interesting TWEET directed my way this morning by Brandon Workentin. He said: “Full Disclosure has email by Meteocontrol vuln reporter saying ICS-CERT advisory ‘not complete and accurate.’ Not on FD archive yet”. ICS-CERT published that vulnerability advisory last week.

When I looked on Full Disclosure to see if that report had been published yet (it hasn’t) I was surprised to find another Moxa vulnerability report from early this month that hasn’t been reported by ICS-CERT yet. This is unusual in that Karn Ganeshen, the apparent reporter, has done numerous coordinated disclosures, so there should be an interesting story here.

BTW: Karn was also the reporter on the Meteocontrol Advisory. I’ll be watching Full Disclosure for this reported email.

No comments:

/* Use this with templates/template-twocol.html */