**ATTENTION:**Remotely exploitable/low skill level to exploit.
Vendor: Marel
Equipment: Food Processing Systems
Vulnerabilities: Hard-Coded Passwords, Unrestricted Upload
The following Marel food processing products are affected:
A remote attacker may be able to gain unauthorized administrative access to affected devices.
Marel has not produced an update to mitigate these vulnerabilities.
ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available in the ICSβCERT Technical Information Paper, ICS-TIP-12-146-01BβTargeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
The end user does not have the ability to change system passwords.
CVE-2016-9358 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
This vulnerability allows an attacker to modify the operation and upload firmware changes without detection.
CVE-2017-6041 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Daniel Lance reported these vulnerabilities to ICS-CERT.
Critical Infrastructure Sector: Food and Agriculture
Countries/Areas Deployed: United States, Europe, South America, and Asia
Company Headquarters Location: Iceland
ics-cert.us-cert.gov
ics-cert.us-cert.gov
twitter.com/icscert
twitter.com/icscert
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9358
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6041
www.addthis.com/bookmark.php?url=https%3A%2F%2Fics-cert.us-cert.gov%2Fadvisories%2FICSA-17-094-02
www.dhs.gov
www.dhs.gov/report-cyber-risks
www.us-cert.gov/accessibility/
www.us-cert.gov/pdf/
www.us-cert.gov/privacy/
www.us-cert.gov/tlp/
www.us-cert.gov/tlp/
cwe.mitre.org/data/definitions/259.html
cwe.mitre.org/data/definitions/434.html
ics-cert.us-cert.gov/
ics-cert.us-cert.gov/content/recommended-practices
ics-cert.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
ics-cert.us-cert.gov/tips/ICS-TIP-12-146-01B
twitter.com/share?url=https%3A%2F%2Fics-cert.us-cert.gov%2Fadvisories%2FICSA-17-094-02
www.facebook.com/sharer.php?u=https%3A%2F%2Fics-cert.us-cert.gov%2Fadvisories%2FICSA-17-094-02
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
www.us-cert.gov/forms/feedback?helpful=no&document=ICSA-17-094-02 Marel Food Processing Systems&trackingNumber=&url=https://ics-cert.us-cert.gov/advisories/ICSA-17-094-02&site_name=ICS-CERT
www.us-cert.gov/forms/feedback?helpful=somewhat&document=ICSA-17-094-02 Marel Food Processing Systems&trackingNumber=&url=https://ics-cert.us-cert.gov/advisories/ICSA-17-094-02&site_name=ICS-CERT
www.us-cert.gov/forms/feedback?helpful=yes&document=ICSA-17-094-02 Marel Food Processing Systems&trackingNumber=&url=https://ics-cert.us-cert.gov/advisories/ICSA-17-094-02&site_name=ICS-CERT