Today the DHS ICS-CERT published two alerts for publicly
disclosed vulnerabilities in control system products from Schneider and FENIKS
Pro. It appears that these are based upon the disclosures from Karn Ganeshen
that I
described on Saturday. ICS-CERT did not identify the researcher doing the
uncoordinated disclosure or the location of the public disclosure for either
alert.
Schneider Alert
This alert
describes a cross site request forgery
(CSRF) vulnerability with proof-of-concept (PoC) exploit code affecting
Schneider Electric’s ION Power Meter products.
Karn’s disclosure on the Full
Disclosure site lists additional vulnerabilities that I briefly described
Saturday. It appears that ICS-CERT either did not consider them to be actual
vulnerabilities (as opposed to ‘features’) or that Schneider has not
acknowledged the existence of the vulnerabilities that did not make it into the
ICS-CERT alert.
ICS-CERT notes that it had already been working with
Schneider on their response to the CSRF vulnerability. They also report
Schneider has provided interim security mitigation measures that device owners
can use.
FENIKS Pro Alert
This alert
describes authentication vulnerabilities with proof-of-concept (PoC) exploit
code affecting FENIKS PRO Elnet LT Energy & Power analyzer.
The remaining vulnerabilities described in Karn’s second
disclosure on the Full Disclosure site are almost certainly considered features
(default passwords) by ICS-CERT. Additionally, the lack of a documented password
discovery process is not really (?) a security issue; it is just an interesting
way to allow the owner to brick their own devices.
ICS-CERT has provided its initial disclosure to FENIKS and
is waiting for confirmation of the vulnerabilities and reports of mitigation
measures.
Posts
No comments:
Post a Comment