ICS Advisory

Supplement to ICSA-15-237-02 EasyIO-30P-SF Hard-Coded Credential Vulnerability

Last Revised
Alert Code
ICSA-15-237-02-Supplement

OVERVIEW

This advisory supplement was originally posted to the US-CERT secure Portal library on August 25, 2015, and is being released to the NCCIC/ICS-CERT web site. This advisory supplement is to accompany the ICS-CERT advisory titled ICSA‑15‑237‑02 EasyIO-30PF-SF Hard-Coded Credential Vulnerability that was published September 24, 2015, on the ICS-CERT web site.ICSA-15-237-02 EasyIO-30P-SF Hard-Coded Credential Vulnerability, https://ics-cert.us-cert.gov/advisories/ICSA-15-237-02, web site last accessed September 24, 2015.

Please refer to this advisory for all the details of the vulnerability. This advisory supplement documents which products are affected by this vulnerability and suggests how users of these products may mitigate the effects of this vulnerability. This document will be updated as needed.

AFFECTED OEM PARTNERS

OEM Partner

Model Number

Region

Accutrol LLC

EASY IO-30P-SF45 – AC7100

USA

Bar-Tech Automation Pty Ltd

BTA 10-30, BTA Sedona Controller

Australia

Infocon/EasyIO

EasyIO-30P-SF45

Worldwide

Honeywell Automation India

EasyIO 30P

India

Johnson Controls Group

Field Controller BACnet FC-30B

Singapore

SyxthSENSE

EasyIO 30P

United Kingdom

Transformative Wave Technologies LLC

Catalyst CAT-371

USA

Tridium Asia Pacific Ptd Ltd

Vykon IOS30P or IOS30P Sedona

Asia Pacific

Tridium Europe

Sedona Controller 30 point – IOS30P

Europe

ICS-CERT encourages any asset owners/operators, developers, or vendors to coordinate known implementations of the affected products directly with ICS-CERT.

AFFECTED PRODUCTS

OEM Manufactures

  • Accutrol LLC-Accutrol EASY IO-30P-SF45-AC7100. Contact Accutrol LLC at 203‑445-9991, and ask for the service department.
  • Bar-Tech Automation Pty Ltd-Bar-Tech BTA 10-30, BTA SEDONA CONTROLLER. Bar-Tech has deployed new firmware patches, versions V0.5.22 (V1) and V2.0.5.22 (V2), which may be obtained by contacting Bar-Tech Support - Chris Schneider at: cschneider@bar-tech.com.au, or service@bar-tech.com.au. Bar-Techs web page may be viewed at: http://bar-tech.com.au.
  • Infocon/EasyIO-EasyIO-30P-SF45. Infocon/EasyIO has deployed the new firmware patch, which may be obtained by contacting the service department at: support@easyio.com
  • Honeywell Automation India-EasyIO 30P. Honeywell has deployed a new firmware patch, which may be obtained by contacting the service department at: Yogesh.Kadam@honeywell.com.
  • Johnson Controls Group-FIELD CONTROLLER BACNET FC-30B. Johnson has deployed a new firmware patch, which may be obtained by contacting the service department at the Johnson Control PowerSolutions group in Singapore, at:  +65 6748 0202.
  • SyxthSENSE-EasyIO 30P. SyxthSENSE Ltd, UK has deployed a new firmware patch, which may be obtained by contacting the support at: +44 (0)844 840 3100.
  • Transformative Wave Technologies LLC-CATALYST CAT-371. Transformative Wave Technologies has a new firmware patch. Installation support may be obtained by contacting the service department at: info@twavetech.com (1-800-786-9199, Local – 571-272-1000 or TTY – 800-877-8339).
  • Tridium Asia Pacific Ptd Ltd-Vykon IOS30P or IOS30P Sedona. Tridium Asia Pacific has deployed a new firmware patch with instructions and a link to the firmware found at: https://pages1.honeywell.com/rs/819-RJX-265/images/APAC%20INSTRUCTIONS%20Update_049h%20TridiumIO30P%20Security_01_EasyIO.pdf. Perform this update to all IOS30P EasyIO Sedona controllers that have firmware prior to V0.5.0.21 (Version 1 EasyIO 30P) and V2.0.5.21 (Version 2 EasyIO 30P). Once the patch is installed, it is critical for users to change the default password. The default password is publicly known, and failure to change this password may result in unauthorized access to the IOS30P EasyIO Sedona controller. Tridium Asia Pacific strongly recommends that you use the password complexity guidance from the Open Web Application Security Project (OWASP) found at: https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Password_Complexity. For more information, you can also contact the Technical Support department at: tridiumap@tridium.com.
  • Tridium Europe-Sedona Controller 30 Point-IOS30P. Tridium Europe has deployed a new firmware patch and installation information that may be found at: https://pages1.honeywell.com/rs/819-RJX-265/images/EMEA%20INSTRUCTIONS%20Update_049i%20TridiumEUIO30P%20Security_01_EasyIO.pdf. Perform this update to all IOS30P EasyIO Sedona controllers that have firmware prior to V0.5.0.21 (Version 1 EasyIO 30P) and V2.0.5.21 (Version 2 EasyIO 30P). Once the patch is installed, it is critical for users to change the default password. The default password is publicly known, and failure to change this password may result in unauthorized access to the IOS30P EasyIO Sedona controller. Tridium EMEA strongly recommends that you use the password complexity guidance from the Open Web Application Security Project (OWASP) found at: https://www.owasp.org/index.php/Authentication_Cheat_Sheet#Password_Complexity. For more information, you can also contact the Technical Support department at: supportemea@tridium.com.

This product is provided subject to this Notification and this Privacy & Use policy.

Vendor

Other