Today the CISA NCCIC-ICS published a control system security
advisory for products from AutomationDirect.
AutomationDirect Advisory
The advisory describes
an insufficiently protected credentials vulnerability in the AutomationDirect C-More
Touch Panels EA9 Series. The vulnerability was reported by Joel Langill of
Amentum Mission Engineering & Resilience (nice start for a brand-new
company). AutomationDirect has a new version that mitigates the vulnerability.
There is no indication that Joel has been provided an opportunity to verify the
efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to allow an attacker to get account
information such as usernames and passwords, obscure or manipulate process
data, and lock out access to the device.
Amentum Disclosure
It will be interesting to see how Amentum deals with these
types of vulnerability reports. Some companies publish details (after public
disclosure by the vendor). Those details can include proof-of-concept code.
Personally, I think that more details than are provided by NCCIC-ICS can be
valuable to the community, particularly details on how the vulnerability was
found. Responsibly disclosing these details should only take place after a long
enough time for the vendor to mitigate the vulnerability and for owners to
mitigate the vulnerability. POC information does not really help all that much,
but the other information could be useful.
Posts
No comments:
Post a Comment