With the Senate debating a cybersecurity bill that actually includes control system coverage, the folks at ICS-CERT have been hard at work trying to keep the control system community up to date on just how vulnerable our systems are. This week they have published, so far, three alerts, four advisories and their Monthly Monitor.
The DEFCON 20 conference last week was the source of the disclosure for two of the alerts, both reported by Dr. Wesley McGrew of Mississippi State University. Both deal with credential type issues and neither are remotely executable. The only thing of real interest here (other than to owners of the affected systems) is that these are the only vulnerabilities to be reported at DEFCON 20 that ICS-CERT has been concerned about.
The third alert comes from an uncoordinated disclosure from Luigi. It’s a directory traversal vulnerability. It is remotely exploitable and Luigi has, as always, published proof of concept code on his web site. As expected, ICS-CERT did not include a link to Luigi’s disclosure, but I will. According to Luigi’s web site this disclosure was made back in June, hardly a timely notification by ICS-CERT.
It turns out that Luigi is also a composer. If you like techno type instrumentals, check out some of his tracks.
Siemens has self-reported vulnerabilities in two separate systems; it seems that they have gotten on the identifying-correcting-reporting bandwagon. Two versions of SIMATIC S7-400 CPU have DOS vulnerabilities. Siemens has provided a firmware update for the V6.03 CPU but not the V5 as it has reached end-of-life and has been discontinued. Of course everyone has replaced the older version so it isn’t really a problem (SARCASM alert).
The second Siemens advisory deals with a default password in their Synco OZW Web Server device used for building automation systems. This would allow access to the building automation network which may (not mentioned in the ICS-CERT Advisory) include security systems. A firmware update is available, but changing the default passwords is a simpler option.
Dr. McGrew (mentioned above) was responsible for the coordinated disclosure of the authentication by-pass vulnerability in the ICONICS GENESIS32 and BIZVIS Security Configurator. ICONICS is releasing a patch that disables the backdoor security login in some versions (no word on the others) and plans to implement a “more secure encryption algorithm” in the future. There is a publicly available exploit for this vulnerability. HMMM… did Dr. McGrew talk about this at DEFCON as well? Maybe this should have been an alert instead of an advisory.
The Sielco Sistemi advisory closes out two ICS-CERT Alerts for the Winlog SCADA system (one from a Luigi disclosure and another by Michael Messner). Sielco Sistemi has provided a software update that has been verified by Messner (oops, I guess Luigi is on the outs again).
The latest two-month issue of the Monthly Monitor is, as always, a worthwhile read. They provide an interesting update to their previous report on the apparently on-going phishing attacks on pipeline companies. In my opinion the most important part of that discussion is found in the second paragraph on the first page:
“Recent reports and analysis conducted by ICS-CERT indicate that information pertaining to the ICS/SCADA environment, including data that could facilitate remote unauthorized operations, has been exfiltrated as part of this campaign. Despite this, ICS-CERT has not received any reports of unauthorized access into the ICS environment; however, this may be due to limited monitoring and intrusion detection capabilities in the targeted companies control networks. The intent of the attackers remains unknown.”
While this spear phishing campaign appears to be solely directed at pipeline companies, owners of all control systems need to pay attention to this. It is a classroom lesson in how to go about a systematic attack on control systems; infiltrate the system to gain the knowledge necessary to formulate an effective attack on the system. Much the same thing must have been done to prepare the Stuxnet attack.
There is also an interesting snippet about what may be the ‘next’ systemic vulnerability, inadequate keys or certificates in embedded devices. It is apparent that ICS-CERT is concerned about this apparently wide-spread vulnerability. They note that:
“ICS-CERT is currently coordinating with multiple vendors that could be affected by this vulnerability.”
Typically I would expect silence about a vulnerability that is this important until the vendors either have a chance to fix it, or ICS-CERT gives up on their cooperation. Either ICS-CERT is changing their policy (maybe because this is so important) or the level of cooperation that they are receiving leaves much to be desired. We’ll be watching for advisories on this topic and will wonder when people like Luigi start to look for these on their own.