Sensys Networks Traffic Sensor Vulnerabilities (Update A)

Low RiskICS-CERT ICSA-14-247-01AJun 7, 2014

Summary

Sensys Networks traffic sensor products contain vulnerabilities related to unsafe code installation (CWE-494) and missing encryption (CWE-311). The VDS and TrafficDOT software versions below specified thresholds are affected. These vulnerabilities could allow unauthorized code execution or exposure of sensitive traffic monitoring data.

What this means

What could happen

An attacker could install malicious code on traffic sensor systems or intercept unencrypted traffic data, potentially disrupting traffic monitoring, reporting false congestion data, or accessing sensitive transportation infrastructure information.

Who's at risk

Traffic management authorities and transportation departments running Sensys Networks VDS or TrafficDOT systems should care. These devices are typically deployed at traffic signal controllers, on roadways, and in traffic management centers to monitor vehicle flow and optimize signal timing.

How it could be exploited

An attacker could exploit unsafe code installation mechanisms to upload malicious firmware or software updates to VDS or TrafficDOT devices. Alternatively, unencrypted communications could be intercepted over the network to access or modify traffic sensor data.

Prerequisites

Network access to the VDS or TrafficDOT device management interface or communication channels
Ability to perform a man-in-the-middle attack for data interception, or ability to reach the device update/installation mechanism

Unsafe code installation without signature verificationUnencrypted communicationsVendor indicates no fix planned for affected versionsLow EPSS score but security-relevant vulnerabilities

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (4)

4 EOL

ProductAffected VersionsFix Status

VDS: <2.10.1<2.10.1No fix (EOL)

TrafficDOT: <2.10.2<2.10.2No fix (EOL)

VDS: <1.8.8<1.8.8No fix (EOL)

TrafficDOT: <2.10.3<2.10.3No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGRestrict network access to traffic sensor management interfaces to authorized traffic management staff only, using firewall rules and access control lists.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXIf upgraded versions are available from Sensys Networks (VDS 2.10.1 or later, TrafficDOT 2.10.2 or 2.10.3 or later), plan firmware updates during maintenance windows to reduce risk from code installation and data exposure vulnerabilities.

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: VDS: <2.10.1, TrafficDOT: <2.10.2, VDS: <1.8.8, TrafficDOT: <2.10.3. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate traffic sensor systems and management interfaces from untrusted networks and the internet.

HARDENINGEnable encryption on all traffic sensor management communications if the device firmware supports it, or use a VPN or encrypted tunnel to protect data in transit.

CVEs (2)

CVE-2014-2378 CVE-2014-2379

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/981c4134-5a3b-4bf3-aa77-3b8101fd9264