Late Friday afternoon the folks at DHS ICS-CERT published two new alerts based upon the latest Basecamp disclosures and updated a recent advisory for Rockwell Automation’s FactoryTalk application. The two basecamp alerts are for the WAGO IPC 758-870 PLC and the 3S-Software CoDeSys application used for programing PLCs. These two vulnerabilities were publicly disclosed by Reid Wightman at AppSec DC earlier this week and were discussed on the DigitalBond web site on Thursday.
ICS-CERT posted a minor update to their advisory dated March 28th, 2012. Reader’s might remember that advisory because Rockwell added 11 TCP ports to the one listed in the Luigi report that was the basis for the original alert. Now it seems that the TCP port designation in the original uncoordinated disclosure was incomplete. This updated advisory now notes that the vulnerable port is Port 4445/UDP; the information after the number being new. Its details like this that can be very important when setting up a proper firewall for the control system.
Wightman identified two vulnerabilities in this PLC, the use of a hard-coded password, and improper access control. Successful exploits of both vulnerabilities could result in a ‘loss of integrity’ (a full stop on the PLC execution according to the DigitalBond post) while exploiting the second could result in arbitrary code execution. ICS-CERT notes that the ‘improper access control’ vulnerability is the same as is reported in the second alert posted today (Note there is a bad link to that second report in the footnote on the WAGO IPC alert; it should read: http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-097-02.pdf).
Reid’s post at DigitalBond notes that there is a Metasploit module available to exploit the ‘improper access control’ vulnerability; a fact that ICS-CERT overlooked in this alert, but will almost certainly mention in the resulting advisory if/when WAGO addresses this vulnerability.
This really is the same as the second vulnerability reported in the WAGO IPC alert noted above. The 3S-Software CoDeSys application is a third-party product used on PLCs and engineering workstations. It was actually the vulnerability in this product that was noted in the WAGO Alert. It will be interesting to see if 3S identifies any other products that use CoDeSys that would also have this particular vulnerability. I don’t actually recall any vendor taking that action to date, but there could always be a first; an ethical vendor.
As with the original Basecamp releases there has been a lot of heated discussions on the web about the propriety of Peterson and Wightman disclosing these vulnerabilities without first giving the vendor a chance to correct the problem. One that I have actively participated in can be found at LinkedIn.com under the Industrial Control System – Cyber Security Group. While there is more than a little heat in the discussion, there is very little name-calling and some good presentations on the different viewpoints involved. The ongoing discussion is well worth following.
NOTE: ICS-CERT does not provide a link to the DigitalBond discussion though it does give Wightman credit for the disclosure.