Monday, November 28, 2011

Three New Luigi Vulnerabilities and a New ICS-CERT Advisory

Today the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published three new Luigi vulnerability alerts and an advisory for the Schneider Electric Vijeo Historian. Luigi (as one would almost expect) would be the first researcher acknowledged under the recently announced revised ICS-CERT policy concerning the identification of researchers who do not coordinate their vulnerability disclosures. Two of the Luigi vulnerability reports are for Siemen’s systems.

Siemens Vulnerabilities

Luigi identified four separate vulnerabilities in the Siemens Automation License Manager. The four vulnerabilities are identified in the ICS-CERT alert as:

• Buffer Overflow;
• Exception;
• NULL Pointer; and
• Memory Write

All four are reportedly remotely exploitable and may be used for DOS attacks. The first and last may allow for remote execution of arbitrary code. Proof-of-concept code is publicly available. Further details are available on BugTraq. ICS-CERT recommends their standard system isolation techniques as interim measures pending development of actual Siemens mitigation measures.

Three additional vulnerabilities were identified in the Siemens SIMATIC WinCC Flexible Runtime system. Those three vulnerabilities are:

• Stack Overflow;
• Directory Traversal; and
• Memory Read Access.

Again, all three are remotely exploitable with POC code published. Only the last can be used for a DOS attack. The first could allow remote arbitrary code execution and the second could allow an attacker to read, write or delete access to the system. Again, Luigi has made further details available on BugTraq.

BTW: ICS-CERT may have decided to acknowledge the un-coordinating researchers, but they did not provide links to either the BugTraq reports of Luigi’s web page for further information on  the vulnerabilities.

Optima APIFTP Server Vulnerabilities

Luigi identified two vulnerabilities in the Optima APIFTP Server system. They are a null  pointer vulnerability and an endless loop hole (okay, I apologize for the play on words, almost). The POC code published for these also would allow for remote execution of a DOS attack and arbitrary code execution.

I could not find this report on BugTraq or Luigi’s home page.

Schneider Electric Historian Vulnerabilities

ICS-CERT is reporting that researcher Kuang-Chun Hung of the Security Research and Service InstituteInformation and Communication Security Technology Center (ICST) has reported, and coordinated the disclosure of, four separate vulnerabilities in three data historian products produced by Schneider Electric. The vulnerabilities include:

• Two separate buffer overflows;
• Cross-site scripting; and
• Directory Traversal

The buffer overflows would allow a low-skilled attacker to execute a DOS attack or execute arbitrary code. The cross-site scripting vulnerability would allow a similarly skilled attacker to inject and arbitrary web script. Finally the directory traversal vulnerability would allow the attacker to read arbitrary files. All are remotely executable and the first three would require a social engineering attack.

Schneider Electric has developed a patch that has been evaluated by ICST and found to provide appropriate mitigation for these vulnerabilities.

1 comment:

Anonymous said...

Hey Patrick,

the details of the APIFTP bugs are available in the relative advisory:

also the details of the other bugs (included the Siemens ones) are ever available in the Advisories section of my website.

only some of them are sent to Bugtraq depending by the impact of the problems or the importance of the affected software.

/* Use this with templates/template-twocol.html */