Tuesday, February 4, 2020

1 Advisory Published – 2-4-20

Today the CISA NCCIC-ICS published a control system security advisory for products from AutomationDirect.

AutomationDirect Advisory

The advisory describes an insufficiently protected credentials vulnerability in the AutomationDirect C-More Touch Panels EA9 Series. The vulnerability was reported by Joel Langill of Amentum Mission Engineering & Resilience (nice start for a brand-new company). AutomationDirect has a new version that mitigates the vulnerability. There is no indication that Joel has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to get account information such as usernames and passwords, obscure or manipulate process data, and lock out access to the device.

Amentum Disclosure

It will be interesting to see how Amentum deals with these types of vulnerability reports. Some companies publish details (after public disclosure by the vendor). Those details can include proof-of-concept code. Personally, I think that more details than are provided by NCCIC-ICS can be valuable to the community, particularly details on how the vulnerability was found. Responsibly disclosing these details should only take place after a long enough time for the vendor to mitigate the vulnerability and for owners to mitigate the vulnerability. POC information does not really help all that much, but the other information could be useful.

No comments:

/* Use this with templates/template-twocol.html */