Yesterday the DHS ICS-CERT published three advisories concerning industrial control system vulnerabilities; one of which was an update of information in a previous alert. Since one of the advisories concerned a vulnerability in a 3rd Party component ICS-CERT promised an advisory on that system when more information becomes available.
This advisory provides updated information for an alert issued in April. The original disclosure by Reid Wightman was part of Project Basecamp and involves two separate vulnerabilities in the WAGO I/O System 758 product line, a hard-coded password and an improper authentication vulnerability. Both vulnerabilities are remotely exploitable and Digital Bond reports that there is a Metasploit module available for the second vulnerability. Both vulnerabilities would allow for remote execution of arbitrary code by a low-skilled attacker.
WAGO has published a procedure for correcting the hard-coded password vulnerability, but it does not apply to the Model 758-870 systems as they are no longer being produced (and of course no one would still be using systems that are no longer being produced – SARCASM alert). A ‘best practices’ document has been released by WAGO.
According to this advisory the second vulnerability isn’t really WAGO’s fault, it actually is in a 3-S Smart Software Solutions CoDeSys runtime program used to program the WAGO devices. ICS-CERT promises an advisory for this problem “as more information becomes available” (pg 3). It’s disappointing that they did not issue a concurrent alert for this vulnerability especially since there is a Metasploit module available to exploit it. I guess hackers wouldn’t be able to tell what CoDeSys program was being used and where else it might be employed; RIGHT.
Arbiter Systems Power Sentinel Advisory
This advisory deals with a self-reported vulnerability in the Arbiter Systems Power Sentinel Phasor Measurement Unit (standard kudos for self-reporting). This is a pretty standard DOS vulnerability based upon a buffer overflow. Since this vulnerability could allow a relatively unskilled attacker to remotely shutdown the Ethernet port on the device, it could lead to some serious problems in the electrical generation or transmission system where the device was employed.
A firmware patch is available and an uploader software package must also be downloaded so that the patch can be uploaded to the device.
InduSoft ISSymbol Advisory
This advisory is based upon a coordinated disclosure (via the Zero Day Initiative) by Alexander Gavrun. The heap-based buffer overflow vulnerability in the ActiveX control affects the InduSoft ISSymbol, Thin Client and Web Studio products. A moderately skilled attacker could remotely exploit this vulnerability to remotely execute arbitrary code. A ‘hot fix’ is available from InduSoft.
The one oddity in this fairly standard advisory is the fact that, instead of providing a link to the patch, owners need to email a request for the patch to InduSoft (link included for that email). In some ways this makes sense as it provides the vendor with some level of control over who gets the patch. I don’t know how fast InduSoft will respond to the request, but this does have to be at least somewhat slower than providing a direct link. Whether this turns out to be a bad thing will depend on how fast InduSoft responds to these emails.