ICS-CERT Advisory for ClearSCADA

Yesterday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published an advisory concerning multiple vulnerabilities in the Control Microsystems’ ClearSCADA software. The three vulnerabilities in multiple versions of the software have been addressed by the vendor.

The three vulnerabilities identified are:

• Heap Overflow Vulnerability
• Cross-site Scripting Vulnerabilities
• Insecure Web Authentication.

There are no known publicly available exploits for the first vulnerability, but there are tools available that could allow for an exploit of the other two vulnerabilities.

ICS-CERT and Control Microsystems recommend the following mitigation measures (after appropriate system vulnerability review):

• Upgrade older versions or install service packs (http://www.clearscada.com/services-support/software-updates/) for newer versions of this software.

• Disable logons on ClearSCADA non-secure ports. Locate this setting under System Configuration => WebX in the server configuration window.

• Install a WebX security certificate from a trusted authority.

• Limit access to the server and server network to only trusted networks and users.

NOTE: See this post at DigitalBond.com for some interesting background on this advisory.