Yesterday ICS-CERT published advisories for control systems vulnerabilities in two control systems products; one a demonstration product that doesn’t really control anything and the other a distributed control system that is used in a wide variety of situations.
This advisory describes a DLL hijack vulnerability in RealWinDemo and RealWin products from RealFlex; both products are generally used as sales demonstration tools, but RealWin has been used in small automation projects. The vulnerability was reported by Carlos Mario Penagos Hollmann.
A relatively low skilled attacker could exploit this vulnerability given local system access. A successful exploit could allow for arbitrary code execution. An updated version of the product is available for download.
Honeywell HMIWeb Browser Advisory
This advisory describes a browser buffer overflow vulnerability in the HMIWeb Browser used by both Honeywell Process Solutions and Building Solutions products. This advisory was originally published about 100 days ago on the US-CERT secure portal to allow for customer implementation of the patches provided by the vendor. The vulnerabilities were originally disclosed by the Zero Day Initiative (ZDI).
This ActiveX control vulnerability in the HMIWeb Browser would allow a medium skilled attacker to remotely exploit the vulnerability and execute arbitrary code on the system. Application of the available patches is a tad more difficult than the process used by most vendors and is dependent on the type Honeywell product used; just read the advisory, I’m not going to try to explain it here.
There is an interesting ‘Additional Precautions’ section to this advisory that seems odd to me. It reads (pg 3):
• Do not use a Station node to connect to the Internet for the purposes of Web browsing.
• If a Station node is connected to the Internet, do not use Station or Internet Explorer to browse the Internet, or limit this usage only to trusted Web sites.
While this seems to be the standard type warning about Internet facing control systems it seems to ignore human nature. If a web browser is available on a system connected to the Internet, it is going to be used to access the Internet by bored operators when no one is around. Almost by definition they will not be using it to access trusted Web sites, porn and poker sites come quickly to mind. Blocking such sites will work for a while, but someone will inevitably discover a work-around the block and share it with others. Security training will help, but I was taught as a young NCO in the Army not to give an order you know won’t be obeyed. Have fun with this.