DHS Publishes Three Advisories

Today the DHS ICS-CERT published three control system security advisories for products from Hyundai Motor, Sierra Wireless and BLF-Tech.

Hyundai Motor Advisory

This advisory describes two vulnerabilities in the Hyundai Motor Blue Link. The vulnerabilities were reported by Will Hatzer and Arjun Kumar working with Rapid7. Hyundai produced a new version that mitigates the vulnerability. There is no indication that the researchers have been provided the opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Man-in-the-Middle – CVE-2017-6052; and

• Use of Hard-Coded Cryptographic Key – CVE-2017-6054

ICS-CERT reports that an attacker (no characterization of the skill level is provided) could remotely exploit this vulnerability to gain access to insecurely transmitted sensitive information, which could allow the attacker to locate, unlock, and start a vehicle associated with the affected application.

NOTE: A Rapid7 blog post provides more details about the vulnerability.

Sierra Wireless Advisory

NOTE: This advisory provides additional information on vulnerabilities that were initially reported by ICS-CERT in an Alert last June.

This advisory describes three vulnerabilities in the Sierra Wireless AirLink Raven XE and XT. The vulnerabilities were reported by Karn Ganeshen. Sierra Wireless has produced new firmware that mitigates two of the three reported vulnerabilities. There is no indication that Ganeshen was provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities were:

• Improper Authorization – CVE-2017-6044;

• Cross-Site Request Forgery – CVE-2017-6042; and

• Insufficiently Protected Credentials (Not mitigated) – CVE-2017-6046

Neither this advisory nor the Sierra Wireless Technical Bulletin [.DOC download] from last summer address the fourth vulnerability reported by Ganeshen in his disclosure; unauthenticated access to directories and arbitrary file upload.

ICS-CERT reports that a relatively unskilled attacker could use the publicly available exploits for these vulnerabilities to remotely attack these devices to perform unauthorized sensitive functions compromising the confidentiality, integrity, and availability of the affected system.

BLF-Tech Advisory

This advisory describes an uncontrolled search path element vulnerability in the BLF-Tech VisualView HMI. The vulnerability was reported by Karn Ganeshen. BLF-Tech has produced a new version to mitigate the vulnerability. There is no indication that Ganeshen was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker (access requirements not characterized) could exploit the vulnerability to to execute arbitrary code within the system.