Yesterday (lost in the cybersecurity EO and State of the Union hoopla) the DHS ICS-CERT published two advisories addressing buffer overflow vulnerabilities in industrial control systems. The advisories addressed vulnerabilities in products from Schneider and WellinTech.
This advisory addresses a heap-based buffer overflow in the Accutech Manager application from Schneider. The vulnerability was reported by Aaron Portnoy of Exodus Intelligence in a coordinated disclosure (more about this later) and according to the advisory Aaron has verified that the update provided by Schneider effectively mitigates the vulnerability.
ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability using publicly available code and it could allow the attacker to execute arbitrary code on the system.
The advisory also notes that Schneider recommends closing Accutech Manager when not actually using it. ICS-CERT (apparently) also recommends ensuring that the vulnerable port (2537/TCP) is not accessible from the internet
This advisory addresses a memory corruption buffer overflow in the kingMess application within the KingView product. The vulnerability was reported by Lucas Apa and Carlos Mario Penagos Hollman of IOActive in a coordinated disclosure. They have also verified that the patch produced by WellinTech fixes the vulnerability.
ICS-CERT reports that a highly skilled attacker could remotely exploit this vulnerability to execute arbitrary code on the system.
It’s interesting to note that WellinTech reportedly released the patch on November 15th of last year and ICS-CERT is just now publishing the advisory. This may be because WellinTech did not disclose the vulnerability to ICS-CERT until recently.
New Twist on Coordinated Disclosure
The Schneider advisory has something that I don’t recall seeing in a coordinated disclosure advisory before, a report that there is publicly available exploit code for the vulnerability. Typically the researcher keeps any exploit code they developed tightly held, only sharing it with the vendor. There is nothing specific about who has released the exploit, so I can’t tell from the advisory if it was Aaron who released the exploit code or some other researcher who independently discovered the vulnerability.
A look at the Exodus Intelligence (Aaron’s employer) web site sheds some light on the situation. Exodus Intelligence offers their customer two different types of ‘vulnerability intelligence data feeds’. A ‘Zero-day Feed’ offers to their customers information on vulnerabilities (including exploit code) just after Exodus notifies the vendor of the vulnerability. I’m assuming that there is some sort of non-disclosure agreement that goes along with this feed.
A separate (and presumably cheaper) ‘Day of Disclosure Feed’ provides the same information to Exodus customers the same day as the vendor publicly announces the availability of the mitigation for the vulnerability. Again this includes a copy of the exploit code for the vulnerability. I’m assuming that this is the exploit code for the Schneider vulnerability that is referenced in the advisory.
It is interesting to me to see how many different business models are beginning to grow out of the white hat side the cybersecurity universe. Researchers need to make money to support their nasty habits like eating and bathing and these varied business models will make it easier for these folks to keep plying their trade keeping software vendors on their toes.