This week there were two industrial control system
vulnerability disclosures on the Full
Disclosure web site. They addressed products from Hikvison and CODESYS.
Hikvision Vulnerability
This report
by IOT Sec describes a Wi-Fi access vulnerability in Hikvision Wi-Fi IP Cameras
installed in a wired configuration. A default wireless SSID exists in the
products with a setting of no WiFi encryption or authentication.
This disclosure was coordinated with Hikvision. No fix has
been reported but a work around was described.
The disclosure timeline reported by IOT Sec includes an
unsuccessful attempt to coordinate the vulnerability with ICS-CERT {as
recommended by (US-?)CERT}. While IP cameras are only industrial control
systems in the broadest sense, ICS-CERT has posted advisories for these
products in the recent
past (including some of the specific devices included in this report). I am
very surprised that ICS-CERT did not respond to IOT Sec; I would hope that this
was due to miscommunications issues, not bureaucratic inaction.
CODESYS Vulnerability
This report
by SEC Consult describes an improper authentication vulnerability in the
CODESYS WAGO PFC 200 Series. This appears to be an extension of a previously
reported vulnerability. ICS-CERT reported on that advisory that it would
affect products from as many as 260 other vendors that used the affected code.
This disclosure was a coordinated with CODESYS and SEC Consult reports that
CODESYS will release a patch next month.
Posts
No comments:
Post a Comment