Five separate advisories were published by the DHS ICS-CERT folks today and there are a lot of other interesting numbers involved. First there are two new sets of vulnerabilities from coordinated disclosures and three sets following up alerts for uncoordinated disclosures. Next there are two advisories from Luigi and one from Basecamp. Then there are two Siemens advisories for different devices by different researchers. Finally we have a real first; a vulnerability reported in a cybersecurity device.
Siemens has two new devices now listed on the ICS-CERT list of vulnerable control systems applications; Scalance S and Scalance X. The similarities in names is apparently due to both being communications devices; Scalance X is an ‘Industrial Ethernet Switch’ and Scalance S is a security module that includes a ‘Stateful Inspection Firewall’. Vulnerabilities in either could open an otherwise secure network to attack.
The two vulnerabilities reported in Scalance S were disclosed to Siemens by Adam Hahn and Manimaran Govindarasu. The vulnerabilities are a brute-force authentication vulnerability and a stack-based overflow vulnerability. Both are remotely exploitable by a moderately skilled attacker and could result in a DOS or possibly arbitrary code execution. Siemens has a firmware update and a security advisory to ‘resolve’ these vulnerabilities. Interestingly ICS-CERT does not say that the researchers have verified the resolution of these vulnerabilities.
There is just a single buffer overflow vulnerability reported in the Scalance X by Jürgen Bilberger from Daimler TSS GmbH directly to Siemens. This is a remotely exploitable vulnerability that could be exploited by a moderately skilled attacker. A successful exploit could result in a DOS or execution of arbitrary code. Siemens has a firmware update for this vulnerability that, again, the advisory says ‘addresses the vulnerability’ without saying that the researcher has verified that claim.
I’m not sure how ICS-CERT was notified about these vulnerabilities since both advisories clearly state that the disclosures were directly to Siemens. I would probably assume that the notification was made by Siemens and that would certainly be a positive move from a company that a large number of people associate with their insecure-by-design PLCs.
Luigi Uncoordinated Disclosures
Two of today’s advisories were follow-ups to alerts due to uncoordinated disclosures last year by Luigi. One of the advisories references the earlier alert, but the other does not. What’s really unusual about that is that another advisory for the same product, the MICROSYS Promotic HMI, where ICS-CERT did not reference the original Luigi related alert. To the best of my knowledge these are the only two instances where an earlier alert was not referenced in the advisory; strange coincidence that they both are about the same product reported by the same researcher.
The Promotic vulnerability is for a ‘use after free’ condition that would allow an attacker to corrupt data or possibly execute arbitrary code. Remote execution is not possible as the exploit requires a local user to run a vulnerable project file. MICROSYS notes that the latest version of Promotic does not contain this vulnerability so users can just download the latest version to correct the problem.
The second advisory is for the Certec webMI2ADS HMI application, or maybe it is the atvise webMI that they referenced in the original alert. There has been more than a little confusion in naming protocols in systems upon which Luigi has reported. This is probably due to the fact that Luigi is operating out of Italy and names do change in different countries.
The Certec advisory addresses four separate vulnerabilities;
• Directory traversal;
• Null pointer;
• Termination of software; and
• Resources consumption
These vulnerabilities are remotely executable that a relatively low skilled attacker could exploit to cause a DOS or perhaps access ‘sensitive data’. Registered users can download a new version of the application that does not contain these vulnerabilities. The Advisory reports that Luigi has confirmed that the update ‘resolves these vulnerabilities’.
The Basecamp related advisory concerns the vulnerabilities identified in the Koyo ECOM1000 Ethernet Module. Reid Whitman was responsible for the original disclosure as part of the Basecamp presentations at the S4 Conference in January. There were five vulnerabilities identified in this product;
• Buffer overflow;
• Weak password requirements;
• Web server cross-site scripting;
• Web server requires no authentication; and
• Uncontrolled resource consumption.
All of the vulnerabilities are remotely exploitable allowing a moderately skilled attacker to exploit these vulnerabilities. Koyo has a produced a patch that addresses each of these vulnerabilities with varying degrees of effectiveness. The web server, for example, is now disabled by default but the module can reconfigured by the user to enable the web server and apparently re-opening the vulnerability.