Late Monday afternoon the folks at ICS-CERT updated two of the original Basecamp alerts to reflect new information from both the vulnerability discoverer and the vendor. The two alert updates cover the General Electric (GE) D20ME application and Schneider Electric Modicon Quantum PLC. In both cases the Basecamp folks published one or more Metasploit exploits for the vulnerabilities in the original alerts.
The revised GE Alert adds a third vulnerability; a buffer overflow vulnerability that can also be remotely exploited and may result in a denial of service attack and perhaps execution of arbitrary code. The new information in the revised alert also includes a request from GE for the GE D20ME users to contact their support representative for mitigation information on these vulnerabilities.
According to the alert update Schneider has provided ICS-CERT with some mitigation tools that are already available in systems that use the Modicon PLC. These include:
An access control list;
A memory protect key switch; and
A PLC memory card.
Further information on these measures, according the alert, is available on-line (Note this is a .ZIP file).
While these Metasploit exploits were discussed on DigitalBond last Thursday and many of the cybersecurity websites over the weekend, the publication of these two alert updates will almost insure that the discussion continues. Unfortunately, most of the discussion to date has centered on the uncoordinated disclosure rather than the actual vulnerabilities. I suspect that that trend will continue.
Interestingly, the Schneider alert will actually add to the discussion on a fundamental level. Dale and his Basecamp crew have maintained that the reason for their outing the PLC vulnerabilities is that the manufacturers have done little or nothing to remediate the designed in security vulnerabilities. I’m not sure how effective the three measures are at protecting the PLCs from attack, but they certainly ought to be discussed.