Yesterday afternoon and today DHS ICS-CERT published two advisories for vulnerabilities in two separate SCADA human-machine-interface (HMI) programs. Both were identified through coordinated disclosures. The affected systems are the xenon HMI (from Ing. Punzenberger COPA-DATA GmbH) and Wonderware HMI Reports (from Invensys).
The twin DOS vulnerabilities for this advisory were reported by Kuang-Chun Hung of the Security Research and Service Institute – Information and Communication Security Technology Center (ICST). They would allow attackers to remotely execute a denial of service attack or possibly remotely execute arbitrary code.
Punzenberger has made available an update to this system that resolves the reported vulnerabilities. They also recommend disabling their ZenSysSrv.exe service except when it is actually needed.
Rios and McCorkle reported these twin vulnerabilities on the Wonderware Report HMI from Invensys. The cross-site scripting vulnerability could allow a low skilled attacker to remotely execute a DOS attack or allow data leakage from the system. The write access violation would require a skilled attacker to execute arbitrary code via a social engineering initiated attack.
Invensys has a new version of this program available that removes the vulnerabilities from the system. It gets a little more complicated though since the owner-operator will also have to migrate the report definitions into the new Quick Reports 2012 format and request a permanent license from the distributor.
BTW: It would be interesting to know if these vulnerabilities were part of the ‘100 vulnerabilities in 100 days’ project that Rios and McCorkle did last year. The timing could be right and it would interesting to see how long it takes all 100 vendors to get their vulnerabilities systems under control. Or how many actually get the problems corrected.