Thursday, May 4, 2017

ICS-CERT Publishes 4 Advisories

Today the DHS ICS-CERT published 4 control system security advisories for products from Rockwell, Advantech, Dahua Technology and Hikvision. The Rockwell advisory was previously published on the NCCIC Portal on April 4, 2017.

ICS-CERT also published the latest version of their ICS-CERT Monitor. Not worth reviewing, but it is out there.

Rockwell Advisory


This advisory describes a resource exhaustion vulnerability in Rockwell ControlLogic and CompactLogic controllers. This vulnerability was apparently self-reported. Rockwell has provided updated versions to mitigate the vulnerability.

ICS-CERT reports that an uncharacterized attacker could remotely exploit the vulnerability to cause the device that the attacker is accessing to become unavailable.

Advantech Advisory


This advisory describes an absolute path traversal vulnerability in the Advantech WebAccess. The vulnerability was reported by Zhou Yu via ZDI. Advantech has produced a new version to mitigate the vulnerability. ICS-CERT reports that Yu has verified the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to traverse the file system and gain access to files or directories, which could result in the device becoming unavailable.

Dahua Technology Advisory


This advisory describes two password vulnerabilities in the Dahua Digital Video Recorders and IP Cameras. Bashis disclosed these vulnerabilities without coordination with ICS-CERT (see Brian Krebs and ThreatPost articles for more information).

The two reported vulnerabilities are:

• Use of password hash instead of password for authentication - CVE-2017-7927; and
• Password in configuration file - CVE-2017-7925

ICS-CERT reports that a relatively low skilled attacker could use publicly available exploits to remotely exploit the vulnerabilities to allow the attacker to obtain user credentials, including password hashes, and use these credentials to bypass authentication.

Hikvision Advisory


This advisory describes two password vulnerabilities in the Hikvision cameras. The vulnerability was reported by IPcamtalk user “Montecrypto”. Hikvision has published a new version to mitigate one of the two vulnerabilities. There is no indication that Montecrypto was provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper authentication - CVE-2017-7921; and
• Password in configuration file - CVE-2017-7923

In Passing



Please remember that when ICS-CERT publishes their 2017 stats that they will almost certainly include the Dahua and Hikvision vulnerabilities in their count of control system advisories for the year.

No comments:

 
/* Use this with templates/template-twocol.html */