Yesterday DHS ICS-CERT published a new advisory about a novel
twist on an earlier
CoDeSys advisory; no not the Wightman
one from April, but the Luigi-Unuver one from January. That advisory
identified, among other vulnerabilities, a stack-based overflow vulnerability based
on Port 8080/TCP. The new advisory today identified a stack-based overflow
vulnerability based on Port 80/TCP in the ABB AC500 PLC Webserver application
that is based upon the CoDeSys Webserver.
The new advisory does not give credit for the identification
of the vulnerability so one would assume that it came from ABB. It does note
that there is a publicly available exploit code for the vulnerability; one
would expect that it refers to the Luigi disclosure
on the CoDeSys vulnerability.
Yesterday’s advisory notes that the ABB patch for this
vulnerability was made available last December. This is interesting in that
this is about the same time that the original
Unuver Alert and shortly after the initial Luigi disclosure. It seems that
ABB was faster replying to the CoDeSys vulnerability than the original manufacturer.
That makes one think about something that was said about the
Wightman discovery of the other CoDeSys vulnerability. The DigitalBond blog by
Wightman noted that:
“I mentioned at the beginning a
success story. The tools do not work on at least one of the vendor’s products,
who chooses to remain anonymous. The vendor has a security development
lifecycle (SDL) that included threat modeling. They identified the threat of
uploading rogue ladder logic and other malicious files, saw that this was not
addressed by the CoDeSys runtime, and added a “security envelope” around the
runtime.”
I don’t know who the anonymous vendor is, but this appears
to be the same sort of forward thinking security effort that was apparently
demonstrated by ABB in this instance. The only question is why did ABB disclose
this issue to ICS-CERT at this time. Maybe they want some recognition for their
security efforts.
Posts
2 comments:
There are actually 2 different vulns here. Luigi's targets the Gateway Server which is a PC-based component used to communicate with a field device. The ICS-CERT (and ABB) vulnerability targets the Web Server component of the Control Runtime System that is running inside the AC500 PLC.
Not knowing what Luigi actually tested, but looking at his original disclosure, these two are not related, as he was targeting the simulated runtime environment (RTE) component which is running on a Windows 2000/NT/XP platform. This is not a credible test that devices would be similarly vulnerable.
Forgot to add ... ABB disclosed this vulnerability via their public cyber security advisory website on April 20, 2012, so it would appear that ICS-CERT is late in communicating this out ... which BTW ... it still has not posted to their RSS or Twitter feeds!
Post a Comment