Dale Peterson’s S4 Conference opens this weekend and it has been given an appropriate starting nod from ICS-CERT; two of the systems (Rockwell PLCs and CoDeSys Runtime) identified as being vulnerable in last year’s meeting had their ICS-CERT Alerts closed out yesterday. And just for good measure they also closed out an earlier alert for SpecView based upon a Luigi reported vulnerability.
This advisory closes out two vulnerabilities in CoDeSys Runtime that were identified by Reid Wightman at last year’s Project Basecamp. The improper access control and directory traversal vulnerabilities could allow a relatively low skilled attacker to use available exploit tools to remotely access the affected systems “to compromise the availability, integrity, and confidentiality of the device”; essentially own the system. A patch has been made available by CoDeSys and Reid has validated the efficacy of the patch.
The bigger picture is troubling. Reid noted that the Runtime system was used by a large number of other vendors in their product lines. When ICS-CERT updated the original Alert in October, CoDeSys had published a list of those vendors on their web site. This advisory reports that the list is no longer there.
ICS-CERT reports that there are about 260 vendors that use this vulnerable product as part of their systems. It would seem to me that some could directly use the CoDeSys patch, but others would have to provide a patch unique to their systems because of potential interactions. Wouldn’t it be prudent for ICS-CERT to go to those 260 vendors and give them the now standard 45 days to develop mitigation measures for those affected systems? Surely someone in ICS-CERT kept a copy of that list of vendors…..
This advisory closes out the alert on the Rockwell PLCs based upon a presentation given by Rubén Santamarta of IOActive at last year’s S4 confernece. According to the original alert Ruben identified seven vulnerabilities and this this advisory reports 8 vulnerabilities that a relatively low skilled attacker could exploit remotely possibly resulting “in a denial-of-service (DoS) condition, controller fault, or enable a Man-in-the-Middle (MitM) attack, or Replay attack” (pg 2).
The eighth vulnerability was subsequently discovered by Rockwell. The eight are:
• Improper access control, Change IP (CVE-2012-6439);
• Improper access control. Reset (CVE-2012-6442);
• Improper access control, Stop (CVE-2012-6435);
• Information exposure (CVE-2012-6441);
• Improper input validation, NIC (CVE-2012-6438);
• Improper input validation, CPU (CVE-2012-6436);
• Authentication bypass by capture, Replay (CVE-2012-6440); and
• Improper authentication , Firmware Upload (CVE-2012-6437).
Rockwell has produced three separate patches for affected systems and provided a list of temporary fixes that can be put into place while waiting for an opportunity to patch the affected system (a nice move considering the potential problems with system patching).
Rockwell made these patches available in July. Obviously ICS-CERT was expecting something else (what isn’t clear) from Rockwell in addition to those patches because it noted in this advisory that: “There have been no updates from Rockwell since these patches were released.” (pg 1)
There is also a bigger picture issue here that was ignored in this advisory. Reid Wightman noted on the Digital Bond blog last year that the vulnerabilities identified by Ruben could potentially affect systems from about 300 vendors because the vulnerabilities were inherent to the EtherNet/IP protocols used for communications with the PLCs, not unique to the Rockwell PLCs.
ICS-CERT acknowledged this in their updated alert in February. It was not mentioned, however, in this advisory. Again, I ask the question; is ICS-CERT going to give these 300 vendors their standard 45 day notice and then start publishing advisories?
This advisory for SpecView is based upon an uncoordinated disclosure from Luigi. He describes the vulnerability as a “a classical directory traversal attack through the usage of more than two dots”. ICS-CERT says that a skilled attacker using Luigi’s proof-of-concept code could remotely effect an attack that “could result in data leakage and file manipulation” (pg 1).
SpecView has produced an update that Luigi has verified fixes the vulnerability.
No ‘bigger issues’ here.