Yesterday the DHS ICS-CERT published a new advisory (GE Intelligent Platforms Proficy products), an advisory updating an earlier Luigi alert (Pro-Face Pro-Server) and an alert for new uncoordinated Luigi reported vulnerabilities (Sielco Sistemi Winlog).
GE Proficy Advisory
This advisory is based upon a command injection vulnerability reported by Andrea Micalizzi and the subsequent discovery (by GE Intelligent Platforms) of a stack-based buffer overflow in a third-party HTML help application used by some GE Intelligent Platforms Proficy products. Both vulnerabilities are remotely exploitable by a moderately skilled attacker utilizing a social engineering attack. The folks at GE are to be commended for going the extra step in discovering and identifying the additional vulnerability.
GE recommends unregistering and deleting the KeyHelp.ocx ActiveX control and has provided product specific instructions for doing so.
As with any vulnerability in a third-party provided component of an ICS system, one has to wonder what other vendors have used the same component in their product. One would suspect that any such system would have the same vulnerabilities as those identified here.
This advisory is a close-out of an alert issued in May for an uncoordinated vulnerability-disclosure made by Luigi. That alert identified five separate remotely-exploitable vulnerabilities:
• Memory Corruption (2);
• Integer Overflow;
• Unhandled Exception; and
• Invalid Memory Read Access.
The Advisory reports that Digital Electronics, the developer/manufacturer of the Pro-Face line, has released patch modules for the affected systems. The Advisory describes the patch this way:
“The patch module prevents the Pro-Server EX and WinGP from an attack using inaccurate packets.”
This wording is odd because only one of the vulnerability descriptions mentions the use of packets in the exploitation of the vulnerability. This combined with the lack of a report that the mitigation has been verified by Luigi or ICS-CERT makes one wonder about the efficacy of the mitigation. Digital Electronics has apparently addressed this issue by recommending:
• A review of all network configurations for control system devices;
• The removal of unnecessary PCs from control system networks; and
• The removal of unnecessary applications from control system networks.
All of these are appropriate recommendations for any control system, but are hardly effective mitigation measures for these identified vulnerabilities. Especially since Luigi always publishes proof of concept exploit codes. This is very poor security support.
Sielco Sistemi Alert
This ICS-CERT alert addresses the latest report of ICS vulnerabilities by Luigi. Luigi identified multiple vulnerabilities when the software is configured to allow the system to act as a TCP/IP server. Those vulnerabilities include:
• Multiple buffer overflows;
• Directory traversal;
• Improper access of indexable resource; and
• Write-what-where condition.
As always Luigi provides proof-of-concept exploit code on his web site.