Saturday, December 2, 2017

Public ICS Disclosure – Week of 11-25-17

This week there were two industrial control system vulnerability disclosures on the Full Disclosure web site. They addressed products from Hikvison and CODESYS.

Hikvision Vulnerability

This report by IOT Sec describes a Wi-Fi access vulnerability in Hikvision Wi-Fi IP Cameras installed in a wired configuration. A default wireless SSID exists in the products with a setting of no WiFi encryption or authentication.

This disclosure was coordinated with Hikvision. No fix has been reported but a work around was described.

The disclosure timeline reported by IOT Sec includes an unsuccessful attempt to coordinate the vulnerability with ICS-CERT {as recommended by (US-?)CERT}. While IP cameras are only industrial control systems in the broadest sense, ICS-CERT has posted advisories for these products in the recent past (including some of the specific devices included in this report). I am very surprised that ICS-CERT did not respond to IOT Sec; I would hope that this was due to miscommunications issues, not bureaucratic inaction.

CODESYS Vulnerability

This report by SEC Consult describes an improper authentication vulnerability in the CODESYS WAGO PFC 200 Series. This appears to be an extension of a previously reported vulnerability. ICS-CERT reported on that advisory that it would affect products from as many as 260 other vendors that used the affected code. This disclosure was a coordinated with CODESYS and SEC Consult reports that CODESYS will release a patch next month.

No comments:

/* Use this with templates/template-twocol.html */