Supplement to ICSA-15-237-02 EasyIO-30P-SF Hard-Coded Credential Vulnerability

OVERVIEW

This advisory supplement was originally posted to the US-CERT secure Portal library on August 25, 2015, and is being released to the NCCIC/ICS-CERT web site. This advisory supplement is to accompany the ICS-CERT advisory titled ICSA‑15‑237‑02 EasyIO-30PF-SF Hard-Coded Credential Vulnerability that was published September 24, 2015, on the ICS-CERT web site.ICSA-15-237-02 EasyIO-30P-SF Hard-Coded Credential Vulnerability, https://ics-cert.us-cert.gov/advisories/ICSA-15-237-02, web site last accessed September 24, 2015.

Please refer to this advisory for all the details of the vulnerability. This advisory supplement documents which products are affected by this vulnerability and suggests how users of these products may mitigate the effects of this vulnerability. This document will be updated as needed.

AFFECTED OEM PARTNERS

ICS-CERT encourages any asset owners/operators, developers, or vendors to coordinate known implementations of the affected products directly with ICS-CERT.

AFFECTED PRODUCTS

OEM Manufactures

• Accutrol LLC-Accutrol EASY IO-30P-SF45-AC7100. Contact Accutrol LLC at 203‑445-9991, and ask for the service department.
• Bar-Tech Automation Pty Ltd-Bar-Tech BTA 10-30, BTA SEDONA CONTROLLER. Bar-Tech has deployed new firmware patches, versions V0.5.22 (V1) and V2.0.5.22 (V2), which may be obtained by contacting Bar-Tech Support - Chris Schneider at: cschneider@bar-tech.com.au, or service@bar-tech.com.au. Bar-Techs web page may be viewed at: http://bar-tech.com.au.
• Infocon/EasyIO-EasyIO-30P-SF45. Infocon/EasyIO has deployed the new firmware patch, which may be obtained by contacting the service department at: support@easyio.com
• Honeywell Automation India-EasyIO 30P. Honeywell has deployed a new firmware patch, which may be obtained by contacting the service department at: Yogesh.Kadam@honeywell.com.
• Johnson Controls Group-FIELD CONTROLLER BACNET FC-30B. Johnson has deployed a new firmware patch, which may be obtained by contacting the service department at the Johnson Control PowerSolutions group in Singapore, at:  +65 6748 0202.
• SyxthSENSE-EasyIO 30P. SyxthSENSE Ltd, UK has deployed a new firmware patch, which may be obtained by contacting the support at: +44 (0)844 840 3100.
• Transformative Wave Technologies LLC-CATALYST CAT-371. Transformative Wave Technologies has a new firmware patch. Installation support may be obtained by contacting the service department at: info@twavetech.com (1-800-786-9199, Local – 571-272-1000 or TTY – 800-877-8339).
• Tridium Asia Pacific Ptd Ltd-Vykon IOS30P or IOS30P Sedona. Tridium Asia Pacific has deployed a new firmware patch with instructions and a link to the firmware found at: https://pages1.honeywell.com/rs/819-RJX-265/images/APAC%20INSTRUCTIONS%20Update_049h%20TridiumIO30P%20Security_01_EasyIO.pdf. Perform this update to all IOS30P EasyIO Sedona controllers that have firmware prior to V0.5.0.21 (Version 1 EasyIO 30P) and V2.0.5.21 (Version 2 EasyIO 30P). Once the patch is installed, it is critical for users to change the default password. The default password is publicly known, and failure to change this password may result in unauthorized access to the IOS30P EasyIO Sedona controller. Tridium Asia Pacific strongly recommends that you use the password complexity guidance from the Open Web Application Security Project (OWASP) found at: https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Password_Complexity. For more information, you can also contact the Technical Support department at: tridiumap@tridium.com.
• Tridium Europe-Sedona Controller 30 Point-IOS30P. Tridium Europe has deployed a new firmware patch and installation information that may be found at: https://pages1.honeywell.com/rs/819-RJX-265/images/EMEA%20INSTRUCTIONS%20Update_049i%20TridiumEUIO30P%20Security_01_EasyIO.pdf. Perform this update to all IOS30P EasyIO Sedona controllers that have firmware prior to V0.5.0.21 (Version 1 EasyIO 30P) and V2.0.5.21 (Version 2 EasyIO 30P). Once the patch is installed, it is critical for users to change the default password. The default password is publicly known, and failure to change this password may result in unauthorized access to the IOS30P EasyIO Sedona controller. Tridium EMEA strongly recommends that you use the password complexity guidance from the Open Web Application Security Project (OWASP) found at: https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Password_Complexity. For more information, you can also contact the Technical Support department at: supportemea@tridium.com.

• Other