Yesterday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published two advisories for control system vulnerabilities identified in Measuresoft’s SCADAPRO and the xArrow Software HMI system. Alert readers will note that the xArrow Advisory is an update from an earlier xArrow Alert.
Measuresoft is an Irish SCADA manufacturer and this advisory is based upon an uncontrolled search path element vulnerability (DLL hijack) reported by Carlos Mario Penagos Hollmann in a coordinated disclosure. The vulnerability could be remotely exploited by a moderately skilled attacker; possibly resulting in execution of arbitrary code.
Measuresoft has produced upgrades for both its ScadaPro Server and Client. According to the Advisory Hollmann has verified that the upgrades appropriately mitigate the vulnerability.
xArrow Software is a Chinese software development firm. The four vulnerabilities were identified in their HMI by Luigi back in March and reported in an uncoordinated disclosure. The vulnerabilities listed are:
• Null pointer de-reference;
• Heap-based buffer overflow;
• Out-of-bounds read; and
• Improper restriction of operations within the bounds of the memory buffer.
The Advisory states that; “No known exploits specifically target these vulnerabilities.” This contradicts what ICS-CERT said in their original Alert and Luigi is well known for having exploit code on his web site (and it looks like exploit code to me for this disclosure). This is probably one of those formatting mistakes (using a canned format for the Advisory) rather than a deliberate misstatement on the part of ICS-CERT.
Missed Alert and Advisory
I did not report on an alert and an advisory published by ICS-CERT last week. The alert was for another Luigi uncoordinated disclosure for multiple (4) vulnerabilities in the Pro-Face Pro-Server SCADA/HMI product. The advisory was a follow-up to an earlier alert about a buffer overflow vulnerability in the Advantech Studio, an automation tool used to develop HMI and SCADA systems. There is no telling what sytems Studio has been used to develop of if any have been compromised through this vulnerability.