Thursday, April 27, 2017

ICS-CERT Publishes New Advisory and an Update

Today the DHS ICS-CERT published a control system security advisory for protective relays from GE. They also updated a previously issued advisory for a product from Certec EDV GmbH.

GE Advisory

This advisory describes a weak cryptography for passwords vulnerability in the GE Multilin SR Protective Relays. The vulnerability was initially reported by Anastasis Keliris, Charalambos Konstantinou, Marios Sazos, and Dr. Michail (Mihalis) Maniatakos of New York University. GE has provided firmware updates for all but one of the affected devices; firmware for the final device is expected to be available in June. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to obtain weakly encrypted user passwords, which could be used to gain unauthorized access to affected products.

Certec EDV Update

This update provides additional information on the advisory that was originally published on April 6th, 2017. This update provides the following new information:

• The vulnerabilities can be mitigated in the affected versions by activating the “the vendor built-in security mechanism”; and

• Provides an outline of the information needed to activate the security mechanism.

No comments:

/* Use this with templates/template-twocol.html */