Yesterday the DHS ICS-CERT published a new advisory concerning multiple vulnerabilities reported in two applications provided by WellinTech; KingView and KingHistorian. These vulnerabilities were reported by Carlos Mario Penagos Hollman and Dillon Beresford in a coordinated disclosure.
The vulnerabilities are remotely exploitable and can be exploited by a moderately skilled attacker. The Advisory notes that four of the vulnerabilities could result in execution of arbitrary code and the fifth (path traversal) would allow access to process information. The vulnerabilities include:
• Stack-based buffer overflow;
• Heap-based buffer overflow;
• Out-of-bounds read;
• Path traversal; and
• Improper restriction of operation within the bounds of a memory buffer.
WellinTech has produced separate patches for KingView and KingHistorian. ICS-CERT reports that Hollman and Beresford have validated the patches.
There is one small oddity in this advisory. Typically when ICS-CERT reports on a coordinated disclosure it posts the information initially on the US-CERT limited access server so that owner/operators have a chance to patch their systems before the vulnerability becomes public knowledge. ICS-CERT usually reports that this has happened in the overview section of the advisory; it did not do so in this case. It is not clear whether this was just an omission of the comment (inadvertent or otherwise) or if ICS-CERT did not post this advisory on the restricted access server for some reason.
If it is the later, I’m not sure that it would be a significant change in process. We have no idea how many control system owners have applied to obtain (or been approved to obtain) access to that US-CERT server, but I would be very surprised if it were a significant fraction of the actual owners in the US. Even those that do have access probably don’t utilized it often enough to be assured of the early warning being made available through these restricted releases.
There has to be some way to push this information to the user level. I’m not sure how well vendors do in this regard (and I would assume that some do it better than others and some don’t do it at all), but from an infrastructure protection point of view this is at least partially a responsibility of DHS and thus, by default, ICS-CERT. To be fair ICS-CERT does make an effort; just recently they started Tweeting (@ICS-CERT) about these vulnerability advisories, but they only currently have 93 followers and most of those are commentators like me.
For critical infrastructure control systems, there needs to be some sort of registration requirement where ICS-CERT maintains a registry of control system owners that allows them to push these alerts and advisories directly to security managers at the facility level. Then the owners could make a timely decision on how to address the vulnerabilities in their systems.