Yesterday afternoon DHS ICS-CERT published three advisories; one about a recent coordinated disclosure and two about old vulnerabilities identified by the vendor. The new one concerns a single vulnerability in a variety of Invensys systems. Both of the older problems deal with Siemens systems. Oh, and remember this for later the new Advisory and one of the old ones deal with dll vulnerabilities.
This advisory deals with an uncontrolled search path element vulnerability (otherwise known as a dll hijack) in a variety of products in the Wonderware System platform family. The vulnerability was discovered by Carlos Mario Penagos Hollmann. The advisory was first posted on the US-CERT secure portal on July 5th.
A moderately skilled attacker could exploit this vulnerability and place a malicious dll in the system. To exploit this vulnerability the attacker must have physical access to the system or be able to manipulate a user with access to the system.
Invensys has developed a patch for the affected systems which is available on the Wonderware web site.
Siemens self-reported two vulnerabilities that are being addressed in separate advisories. The first is an insecure SQL server vulnerability and the second is dll loading mechanism vulnerability. As if self-reporting is not odd enough (to be encouraged to be sure, but odd), the first vulnerability was patched in 2010 (update V5.5 SP1) and the second in 2011 (update V7.0 SP 2 Update 1). Both vulnerabilities can be remotely exploited and there are publicly available exploits available for both.
No word about why Siemens wanted these vulnerabilities made public at this late date. It does seem obvious that they are the ones responsible for ICS-CERT publishing these now, but for the life of me I can’t figure out why.
MS DLL Advisory
I’m not sure if Chris Jager knew about the two dll vulnerabilities being reported by ICS-CERT, but in a Tweet this afternoon he pointed us at a Microsoft Security Advisory from earlier this month (actually updated the 17th time earlier this month) about insecure library loading. It discusses the type of dll injection attacks covered in the two advisories published today. It notes that MS has provided guidance to software developers “on how to correctly use the available application programming interfaces to prevent this class of vulnerability”.
More importantly for system owners “Microsoft is releasing a tool that allows system administrators to mitigate the risk of this new attack vector by altering the library loading behavior system-wide or for specific applications”. While this is not a control system specific tool, the fact that this vulnerability has been found in so many ICS systems might make it an important tool that should be in the ICS security tool box.
It might be a good idea for ICS-CERT to partner with Microsoft on making this tool specifically available to ICS owners.