Yesterday the DHS ICS-CERT published an advisory about multiple file management vulnerabilities on the IOServer OPC Server. The vulnerabilities were first reported by Hinge of foofus.net (ICS-CERT did provide a link to the initial vulnerability report – finally).
The Official Word
The three listed vulnerabilities allow low-skilled attacker to remotely download files from the affected system. The vulnerabilities are:
• Insufficient access controls (CWE-219);
• Directory listing (CWE-538); and
• Directory traversal (CWE-22).
According to the Advisory, IOServer has produced a patch that resolves one of the three (Directory traversal) vulnerabilities and this has been verified by Hinge. Hinge (NOT IOServer) recommends using a trailing backslash on the ‘Root Directory’ configuration value to reduce the extent of the remaining vulnerabilities. There is no mention in the Advisory if/when IOServer will be correcting these vulnerabilities.
There are some odd things going on with this advisory. First off, since there was not an earlier alert, one would normally assume that this was a coordinated disclosure, but that is certainly not stated. In actuality, the original public disclosure that ICS-CERT provides the link to is dated August 17th, 2012 and there is nothing on that site that would imply a coordinated disclosure. Big question here is if it was a coordinated disclosure why did it take ICS-CERT almost a month to report this serious vulnerability (more on that later). If it wasn’t coordinated why wasn’t an alert issued a month ago?
A quick reading of the Advisory leaves one with the impression that this is not a real big thing. After all it does not allow anyone to take control of the system or allow for the execution of arbitrary code; it just allows unauthorized people to read some files (all right the cognoscenti will go “Oh Sh*” to that). Reading the Hinge disclosure makes this sound much more interesting; describing it this way:
“A directory traversal vulnerability exists such that the web server can be tricked to serve up any file on the server [emphasis added], outside of the configured “Root Directory”. On Windows, one common thing to do with an issue like this is to download the backup copy of the SAM, in order to retrieve password hashes and mount an offline attack on them. Any other potentially sensitive file on the server can be accessed this way as well, if the attacker knows the path to it”
The original disclosure goes on to describe the impact this way:
“Unexpected arbitrary access to the file system can lead to the disclosure of sensitive information. Worst case, disclosure of the system’s password hashes can lead to compromise of the passwords [emphasis added], and therefore, of the server.”
If you own the OPC Server, you have control of the ICS. So, is this a major vulnerability or what?