ICS-CERT – Two New Advisories but Two Alerts from Last Week still Missing

This afternoon the DHS ICS-CERT published two new advisories, both with multiple vulnerabilities. The advisories are for Ocean  Data Systems’ Dream Reports and MICROSYS’ Promotic systems. Strangely missing are the two alerts that I predicted this weekend for vulnerabilities publicly disclosed by the Digital Security Research Group (DSecRG).

Ocean Data Systems Advisory

Rios and McCorkle reported the two vulnerabilities addressed in this advisory. The first is a cross-site scripting vulnerability that is remotely exploitable and does not require much in the way of skills to execute. The second is a write access violation vulnerability that is a tad bit more complicated to exploit, requiring a successful social engineering attack and the creation of a specially crafted data file.

Ocean Data Systems has published a new version of the Dream Report product that has been confirmed to be free of these two vulnerabilities. Separate CVE numbers have been assigned, but are not yet active.

MICROSYS Advisory

While it is not mentioned in this advisory, it is an update of an alert issued last October for three vulnerabilities found in the Promotic HMI. Those vulnerabilities were reported by our friend Luigi. The vulnerabilities identified were:

• Directory Transversal, CVE-2011-4518;

• ActiveX Stack Overflow, CVE-2011-4519; and

• ActiveX Heap Overflow, CVE-2011-4520

All three are remotely executable by a relatively low-skilled attacker. The first could be used to cause some data leakage and the other two could be used as part of a DOS attack. The latest version of Promotic is free of these vulnerabilities and is downloadable from the MICROSYS website. The above listed CVE numbers are not yet active.

Missing Alerts

Last Sunday I noted that in addition to the WAGO vulnerability covert in an ICS-CERT alert from Friday, there were two other system vulnerability reports from DSecRG describing vulnerabilities in Tecomat PLCs and the Open Automation Software (OAS) OPC system. Both of those should have received ICS-CERT alerts on Friday or yesterday. There were still not yet posted as of 20:30 EST today; curiouser and curiouser.