And the problems just keep coming. Yesterday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published another alert for a human machine interface vulnerability with a publicly available exploit, this time for the BroadWin WebAccess system.
For this vulnerability Ruben Santamarta, the security researcher who had identified the vulnerability, had previously notified ICS-CERT of the problem, but BroadWin had not been able to validate the vulnerability. As a result Ruben publicly released details, including the exploit code, leading ICS-CERT to publish this alert.
Gleg, Ltd Update
On the 0-day vulnerabilities that I reported on yesterday, there is some question on if these are really new vulnerabilities or just re-reporting of ones that have already been identified by ICS-CERT. Dale Peterson, DigitalBond.com, notified me yesterday that he believes that they are previous identified vulnerabilities. Joel Langill, who reported the Agora SCADA+ coverage of these vulnerabilities on his SCADAHacker blog, is not convinced and is conducting further research. Apparently ICS-CERT agrees with Dale as they did not publish any alerts on the reported vulnerabilities. I’ll clarify the situation as more information becomes available.
Luigi Vulnerability Updates
Joel is also reporting on the TotfinoSecurity.com blog that he and Eric Byres decided to take a closer look at the systems on which Luigi reported multiple vulnerabilities earlier this week to see if there were additional vulnerabilities in those systems. Sure enough they found another vulnerability in the first system they checked. Joel did not provide details on the vulnerability in the blog as they have reported the issue to ICS-CERT to allow them to work with the also not identified vender to correct the problem.
Again, this just further emphasizes the point I made yesterday. As security researchers (and presumably less ethical hackers) begin to seriously look at ICS software, they are going to be finding lots of vulnerabilities. These newly identified vulnerabilities are going to increase the likelihood of actual attacks on control system and will make it easier for terrorist to obtain the tools necessary to conduct remote attacks on high-risk chemical facilities.