This morning the DHS ICS-CERT updated an advisory that was
published last week and published a new control system advisory. The updated
advisory was for an Environmental
Systems Corporation (ESC) product. The new advisory was for a control system
product from GE.
GE Advisory
This advisory
describes a hard-coded credential vulnerability in the GE MultiLink series
managed switches. The vulnerability is apparently self-reported. GE has
produced a firmware update to mitigate the vulnerability.
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit this vulnerability to gain unauthorized administrative access
to device configurations resulting in exposure and control of all configuration
options available through the web interface.
The links provided in the advisory for the firmware update all
lead to earlier (v 5.3.0 or v 5.3.2) affected versions of the firmware. There
is no mention on the GE web site of a version 5.5.0.
ESC Update
This update
provides additional information on the 8832 Data Controller advisory that was originally
published on May 26th. The update notes that a Metasploit module
now exists to exploit the two vulnerabilities reported.
Interestingly searching for a Metasploit module for the ESC
8832 Data Controller I find two database listings (here
and here) and a blog that reference a Metasploit
module produced by Balazs Makany. Unfortunately, all three sites list five vulnerabilities
not two:
• Session Hijacking
• Predictable user session
generation
• Unencrypted protocol
• Lack of user names
• Session token in HTTP GET
The blog post describes the vulnerability disclosure process
by TH3R3G3NT. ICS-CERT reports that Maxim Rupp was the security researcher
responsible for the two vulnerabilities included in the ICS-CERT advisory. Additionally
the description of the five vulnerabilities in the two database listings are
quite different than the two vulnerabilities described in the ICS-CERT
advisory. In short, it looks pretty much like there are some vulnerabilities
that should be added to this advisory.
BTW: There have
not yet been any TWEETs about either of these advisories. I just happened to
notice the ‘-A’ designation on the ESC advisory when I looked at the ICS-CERT landing
page this evening. I almost ignored it because of the ‘5-26-16’ date on the
listing, but something called out to me. ICS-CERT really needs to do a better
job of communicating these updates, particularly when they add notification
that a publicly available exploit has been released. That just may change some
risk calculations.
Posts
No comments:
Post a Comment