Reference: CERT-EU Security Advisory 2015-761 Short Summary -------------- Crypto implementation flaws in Pacom GMS System. The Pacom 1000 implementation have several serious implementation flaws in cryptography mechanisms. The flaws that were found can bypass the security of any unpatched installation. The issue could affect the Psysical Security entities of a constituent depending on the infrastructure. CVE reference: CVE-2014-3260 Affected platforms: Pacom 1000 CCU ("Base Station") and Contr= ollers (RTU) Version: All versions are affected Date: 2013-Oktober-10 Security risk: High Vulnerability: Crypto implementation flaws in Pacom GMS System Researcher: Joachim Strombergson, Fredrik Soderblom, Peter Norin Vendor Status: Notified / Patch available Vulnerability Disclosure Policy: https://xpd.se/advisories/xpd-disclosure-policy= -01.txt Permanent URL: https://xpd.se/advisories/XPD-2015-001.txt Systems affected ----------------- The Pacom 1000 CCU and controllers (RTU) is used in security alarm installations all over the world. All versions of Pacom 1000 (CCU & RTU) - According to Pacom, this firmware will not be fixed. Customers are advised to switch to the EMCS platform instead. All versions of EMCS (Pacom .is) prior to 1.3 The vendor reports that the following versions are patched: EMCS (Pacom .is) version 1.3 and above Impact ------- These vulnerabilities could in a worst case scenario lead to a full compromise of the protocol between the controller and the base station, rendering an alarm system useless. Solutions ---------- No solutions available. Additional References ----------------------- [1] XPD Advisory: https://xpd.se/advisories/XPD-2015-001.txt CERT-EU (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383