Today the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published two new advisories covering vulnerabilities in two ICS systems. The first upgrades an alert from December concerning multiple credential vulnerabilities in various Schneider systems and the second addresses a vulnerability in Certec’s atvise SCADA/HMI product.
This advisory upgrades the information on an alert on various Schneider ICS products that was published last month. As noted in that alert that there were three separate hard-coded credentials in various Schneider applications involving the Telenet port, Windriver Debug port and the FTP service. This advisory confirms the earlier report that Schneider has developed and has now made available patches to deal with the vulnerabilities in the first two services, but the FTP service remains vulnerable to attack on some portion (maybe all, it is not clear in the advisory) of the affected systems. Schneider is continuing to work on a mitigating patch for the remaining vulnerable service.
Interestingly enough, the patches now available remove the vulnerable services (more accurately two of the vulnerable services) from the products. They were apparently included to allow remote maintenance and diagnostics of the products. Again, apparently this was the reason for the hard-coded credentials; it did not allow the owner-operator to inadvertently lock-out Schneider’s access to the system. Of course it did not allow the owner-operator to deliberately lock-out Schneider either and that is a security issue; the lack of access control.
Once again, I want to raise the issue about access to critical systems at high-risk chemical facilities. CFATS requires that anyone with unaccompanied access to critical systems at high-risk chemical facilities must be vetted against the Terrorist Screening Database (TSDB) and have other unspecified background checks completed before they can be given access to the critical systems at the facility. Who is going to ensure that all of the techs at Schneider (and any other vendor with remote access to control systems) have been properly vetted in accordance with the CFATS regulations?
NOTE: The CVE file for these vulnerabilities is already available.
The second advisory is for a newly reported vulnerability in the Certec’s SCADA/HMI product; atvise. The unnamed vulnerability (The advisory actually calls it a “denial of service (DoS) vulnerability”, but that describes the result of an attack not the vulnerability.) was reported by our old friend Luigi. Since this is an ‘advisory’ instead of an alert and it includes a mitigation, it would appear that Luigi has completed his second or maybe third coordinated disclosure. Actually, that’s not fair; Luigi’s name appears next to a number of upcoming ZDI (Zero Day Initiative) advisories.
This Voldemort vulnerability (okay forgive the Harry Potter® reference; Lord Voldemort is most often referred to in the series as ‘he who cannot be named’ because he is soooo evil) would allow a low skill level attacker to remotely execute a DOS attack. Certec has created a new version of atvise that does not have the vulnerability; it is available on their web site.
NOTE: The CVE link for this vulnerability is provided but the file is not yet active.