EasyIO Mitigates Hole in Controller

Friday, September 25, 2015 @ 05:09 PM gHale

EasyIO produced a patch to mitigate a hard-coded credential vulnerability in the EasyIO-30P-SF controller, according to a report on ICS-CERT.

Independent researcher, Maxim Rupp, who discovered the issue, tested the patch to validate it resolves the remotely exploitable vulnerability.

DTM XML Injection Vulnerability Fixed
Privilege Escalation Holes Fixed
Multiple IBC Solar Vulnerabilities
Everest Software Fixes Vulnerabilities

The following EasyIO-30P-SF controllers suffer from the issue:
• All EasyIO-30P-SF controllers running firmware prior to build v0.5.21
• All EasyIO-30P-SF controllers running firmware prior to build v2.0.5.21

This controller works in a number of Direct Digital Control (DDC) controller products associated with DDC systems from users worldwide.

ICS-CERT created a supplement to this advisory that contains a list of nine OEM products that encompass the EasyIO-30P-SF controller. This supplement will update as new patch information comes in.

Exploitation of this vulnerability could allow an attacker complete access to the controller.

EasyIO is a Malaysia-based company that markets its controller products worldwide.

The affected product, EasyIO-30P-SF, is a 32-bit controller used in a number of DDC systems worldwide. According to EasyIO, affected controller units see action across several sectors including commercial facilities, critical manufacturing, energy, water and wastewater systems, and others. EasyIO markets these products worldwide.

The EasyIO-30P-SF controller has a hard-coded credential vulnerability. This could allow the attacker to have complete access to the controller.

CVE-2015-3974 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 9.0.

No known public exploits specifically target this vulnerability. However, an attacker with a low skill would be able to exploit this vulnerability.

EasyIO deployed the new patch to all nine OEM vendors to allow them to update their respective products.

These vendors are: Accutrol LLC, Bar-Tech Automation Pty Ltd, Infocon/EasyIO, Honeywell Automation India, Johnson Controls Group, SyxthSENSE, Transformative Wave Technologies, LLC, Tridium Asia Pacific Ltd, and Tridium Europe.

Each vendor has its own method and location for the end users to obtain information on how to receive and install this patch. In some cases, the OEM vendors prefer to be part of the patch process to ensure correct configurations and to minimum unnecessary downtime.