This morning Robotron announced that new versions of sixteen different programs released in the last 60-days all have backdoor access due to a recent exploit of a vulnerability in their proprietary compiler. Customers who have received those new program versions via the automatic update process have been contacted. Robotron has provided firewall rules to block that access pending development of new code. Robotron reports that they have not received reports of any exploits of the backdoor vulnerability.
Kate Libby, a security analyst with Dragonfire Cyber, explains that: “This sounds like an exploit of the recently disclosed Trojan Source compiler vulnerability. The crafter of this attack needs access to source code used in program development, but this could be from code libraries used in the modern programing environment.”
Eric Mielke, spokesperson for Robotron, confirmed that the vulnerability arose from using a particular piece of code from a commonly used source. “We are working with the outside developer to determine how their library code had become compromised.” Mielke explained; “We expect that the developer will disclose the vulnerability within the coming week when the corrected code is released.”
Libby reported that Dragonfire has determined that the backdoor found in the new Robotron code uses Port 727. “That port is not used for other Robotron processes,” Libby explained; “We have told all of our clients to specifically ensure that that Port is blocked in all of their firewalls protecting Robotron devices.”
Gen Turgidson, Director of the National Critical Infrastructure Security Operations Center (CI-SOC), confirmed that the CI-SOC is aware of the Port 727 backdoor in the Robotron devices. “We have contacted all of our supported organizations about the vulnerability,” Turgidson explained; “We are actively monitoring communications via that Port. We will be able to detect ‘phone home’ communications via that backdoor and will quickly isolate any command-and-control system utilizing this vulnerability.”
A source at CI-SOC that is not authorized to speak to the press confirmed to me that there is a very strong possibility that other software from other vendors could be affected by this particular vulnerability that CI-SOC is internally tracking as ‘Holey Condom’. “Most compilers using the same source code would establish the same backdoor,” she explained.
No comments:
Post a Comment