Today was the day that the DHS ICS-CERT published their updated Advisory on the Open Automation Software OPC Systems.NET vulnerability. As I mentioned in an earlier blog post this update adds a second vulnerability to the one initially discovered by Luigi; the second being discovered by Digital Security Research Group (DSecRG).
The latest vulnerability is this system is a reported buffer overflow vulnerability in the ActiveX control for the system. It would allow a moderately skilled attacker to ….. Hmm ICS-CERT doesn’t say what the vulnerability would allow an attacker to do and neither does the DSecRG report on the vulnerability. Oh well, I guess it doesn’t matter because the updated version of OPC Systems.net released to deal with the Luigi vulnerability also fixes this one. And everyone always updates their systems when a security update becomes available – don’t they?
The long history of this Advisory (dating back to the original Luigi based alert) shows how complicated ICS vulnerabilities can get. This update makes things even more interesting by noting that the new buffer overflow vulnerability in the OAS OCP Systems.NET isn’t really an OAS vulnerability. The vulnerability actually resides in the ActiveX component FlexGrid 7.1, a third-party component of OCP Systems.NET.
As I have mentioned a number of times finding a vulnerability in a third-party component automatically brings a question to my mind; what other ICS systems are using the same component and thus potentially have the same problem. Unfortunately, there is no way for anyone to know since system vendors don’t report if/when/where they use third party component software. Until, of course, a security researcher finds the same vulnerability in another system.