No Patch from Pacom, but New Version Fixed

Tuesday, December 8, 2015 @ 06:12 PM gHale

There are several crypto implementation flaws in the Pacom GMS system, according to a report on ICS-CERT.

While Pacom has not produced a patch to mitigate these vulnerabilities, it has fixed the new EMCS system.

Wind Turbine Vulnerability Patched
LOYTEC Fixes Router Vulnerability
Holes Filled in Advantech ICS Gateways
SearchBlox Fixes File Exfiltration Issue

These vulnerabilities, discovered by Swedish companies XPD and Assured, are remotely exploitable and the researchers are planning to publicly disclose these vulnerabilities next week.

The Pacom 1000 CCU and RTU suffers from the issue.

The flaw can end up used by an attacker to take control over the communication between the controller and base station.

Pacom is a Sweden-based company that has its products installed worldwide.

The affected products, Pacom GMS systems, are network-enabled security panels that control, monitor, and maintain security for a remote site and control all alarm and door functions. Pacom GMS systems see use across several sectors including commercial facilities, financial services, government facilities, and healthcare and public health. These products see action on a global basis.

There are several implementation flaws in the cryptography in the Pacom GMS systems.

CVE-2014-3260 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

Exploits that target these vulnerabilities will become publicly available next week. An attacker with a low skill would be able to exploit these vulnerabilities.

Pacom released new firmware (v1.3) for the EMCS system.