Last night I missed the second Schneider control system
security advisory published yesterday by ICS-CERT. It describes two
vulnerabilities in their IONXXXX series power meters and it is a follow up to an
earlier alert. The vulnerabilities were reported by Karn Ganeshen. Schneider
has provided instructions to mitigate these vulnerabilities. There is no
indication that Ganeshen has been provided an opportunity to verify the
efficacy of the fix.
The two vulnerabilities identified in the advisory (the
second was not identified in the original alert) are:
• Cross-site request forgery - CVE-2016-5809;
and
• Improper access control - CVE-2016-5815
The ICS-CERT advisory does not address the three separate
default password issues for the HTTP, Telnet and front panel access to the device
though it was mentioned in passing in the earlier alert. These are specifically
addressed in the Schneider
Security Notification referenced in the advisory. That notification only
addresses the default password issue (urging owners to change their device
passwords from default values to prevent unauthorized access), but not either
vulnerability addressed in this advisory.
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit the two covered vulnerabilities to make configuration changes
on the device.
BTW: While ICS-CERT notes that there are no “known public
exploits specifically target these vulnerabilities” (Karn’s disclosure did not
provide a POC) it does not mention that Karn provided a partial list of
organizations that are using the affected power meters.
Posts
No comments:
Post a Comment