This afternoon the DHS ISC-CERT published an advisory for multiple vulnerabilities in the 3S CoDeSys Gateway-Server application. The vulnerabilities were reported by Aaron Portnoy of Exodus Intelligence in a coordinated disclosure.
The reported vulnerabilities include:
• Improper access of indexable resource, CVE-2012-4704;
• Directory or path traversal, CVE-2012-4705;
• Heap-based buffer overflow, CVE-2012-4706;
• Improper restriction of operations within the bounds of a memory buffer, CVE-2012-4707; and
• Stack-based buffer overflow, CVE-2012-4708.
NOTE: the CVE links may not be active for a couple of days; NIST uses this report to populate the CVE file.
ICS-CERT reports that a moderately skilled attacker could remotely exploit these vulnerabilities to crash the system or exploit arbitrary code. 3S has produced a patch that ICS-CERT reports mitigates these vulnerabilities.
Exploits Code Available?
The advisory states that there are no publicly available exploits for these vulnerabilities. Given that they were reported by Exodus Intelligence, I am not so sure that that is the case. Readers will remember my comment on the Exodus business model in an earlier blog post. EI provides their customers with exploit code for all of their ‘responsibly reported’ discoveries either just after the vulnerabilities are reported or when the vendor reports the vulnerabilities. Now this might not fit the ‘publicly available’ definition that ICS-CERT is using this week, but it looked like it did last week with the Schneider advisory.