Thursday, August 24, 2017

ICS-CERT Publishes Two Advisories

Today the DHS ICS-CERT published two control system security advisories for products from Rockwell and Westermo. The Rockwell advisory was originally published on the NCCIC Portal on July 27, 2017.

Rockwell Advisory

This advisory describes an SNMP remote code execution vulnerability in the Rockwell Allen-Bradley Stratix and ArmoStratix. The vulnerability was originally reported by Cisco and subsequently self-reported by Rockwell as affecting their switches. Rockwell has produced a newer version of one of the affected product families that mitigates the vulnerability. Rockwell has produced compensating controls for the remainder of the affected products pending further updates.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to execute code on an affected system or cause an affected system to crash and reload.

As always when these types of vulnerabilities from third party systems are reported, we have to ask what other vendors have also been using the same system and thus have the same vulnerabilities?

Westermo Advisory

This advisory describes three vulnerabilities in the Westermo MRD-305-DIN, MRD-315, MRD-355, and MRD-455 routers. The vulnerabilities were originally reported by Mandar Jadhav from Qualys Security. Westermo has produced a new firmware to mitigate the vulnerabilities. There are no indications that Jadhav was provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Cross-site request forgery - CVE-2017-12703;
• Hard-coded credentials - CVE-2017-12709; and
• Use of hard-coded cryptographic key - CVE-2017-5816

Westermo reports in their security advisory [.PDF Download] that a fourth vulnerability was reported by the researcher, but the default user account identified is not interactive and is not accepted in the existing management interfaces and is therefore not an immediate attack vector. It has, however, been removed from the updated firmware.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerabilities to obtain hard-coded cryptographic keys, hard-coded credentials, or trick a user into submitting a malicious request, resulting in the attacker gaining unauthorized access to the device and running arbitrary code.

No comments:

/* Use this with templates/template-twocol.html */