[sbe-eas] Important advisory regarding EAS software updates

Ed Czarnecki ed.czarnecki at digitalalertsystems.com
Mon Aug 8 12:32:21 EDT 2022 

SBE EAS list:

I'm just passing along a quick informal note on security, as I am on leave for at least onother week or two.

The FCC and FEMA recently issued reminders to make sure EAS equipment has its software updated and is protected by a firewall.  We want to amplify those statements and provide more detail - or as Paul Harvey would have said, "the Rest of the Story.".  

There will be a security vulnerability presentation sometime in the next week that will likely get a fair amount of attention, and potentially spur some bad actors. 

While these vulnerabilities were identified and addressed 3 years ago, there are users that have not updated their software.  Again, we expect that a security presentation next week may draw significant attention.

Background:   A security researcher initially contacted us in 2019 to identify two specific vulnerabilities, which we believe were addressed in software updates issued in Oct 2019 (version 4.1) and onwards.  The two vulnerabilities that were identified relate to the potential cross-scripting (XSS) and host header injection attacks for browser-based web pages.  We released a mitigation in version 4.1 back in 2019, but there are still some that have not updated over the past few years.

If your DASDEC is not using version  4.1 or later, we urge you to update as soon as possible.  .

The vulnerabilities that were identified present a potentially serious risk, which is why we quickly issued an update in 2019.  Those running any software prior to version 4.1 should immediately take action and update to the latest version of software.  

Addressing software vulnerabilities have become an ongoing fact of life.  We will evaluate and work to issue any future mitigations as quickly as possible, as needed.

We thank the FCC and FEMA for being proactive and issuing reminders about updating software, using protective firewalls, and other security best practices.  We also credit the security researcher for bringing this to our attention originally, and exercising responsible disclosure to date.

More discussed here:  https://www.radioworld.com/news-and-business/headlines/femas-notice-on-eas-vulnerabilities-raised-some-questions

Thanks,
Ed

Edward Czarnecki Ph.D
VP Global and Government Affairs
Digital Alert Systems Inc.
www.digitalalertsystems.com

More information about the sbe-eas mailing list