Morpho Passes on Patching Hole

Friday, July 25, 2014 @ 08:07 AM gHale

Morpho will not produce a patch, update, or new version that mitigates the hard-coded credential vulnerability in the Itemiser 3, according to a report on ICS-CERT.

This vulnerability, discovered by independent researchers Billy Rios and Terry McCorkle, is remotely exploitable.

RELATED STORIES
Honeywell Mitigates Web Controller Holes
Omron Fixes HMI Vulnerabilities
Havex Varient Brings Attack via OPC
OleumTech WIO Vulnerabilities

The Itemiser 3 v 8.17 suffers from the issue.

Once an attacker gains access, he or she can read and write to the file system and reconfigure the device. Attackers may also have access to other devices attached to this product.

Morpho is an international company that maintains offices in several countries around the world, including the U.S., UK, Netherlands, India, Germany, France, Czech Republic, China, and Australia.

The affected product, Itemiser 3, is a residue testing machine. This machine sees use to test for explosives residue on hands and other objects.

An attacker can log into the device using the hard-coded credentials that grant administrative access. Administrative credentials allow users to change device settings and read and write to the file system. This could result in a loss of confidentiality, integrity, or availability.

CVE-2014-2363 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.

No known public exploits specifically target this vulnerability, however an attacker with a low skill would be able to exploit this vulnerability.

In terms of any sort of mitigation, Morpho decided not to address this vulnerability.



Leave a Reply

You must be logged in to post a comment.