This afternoon the DHS ICS-CERT updated their advisory for Ruby on Rails, an open source web framework used by a third-party component of the Wonderware Intelligence. The multiple vulnerabilities included in the advisory were reported by Aaron Patterson in a coordinated disclosure. The advisory was initially released on the CERT secure portal; this update is the first time it has been published publicly.
The reported vulnerabilities include:
• Permissions, privileges and access controls, CVE-2013-0155;
• Input validation, CVE-2013-0156; and
• Input validation, CVE-2013-0333. NOTE 1: This vulnerability was added in this update. NOTE 2: There was a typo in the link provided in the advisory, I have provided the correct link here.
ICS-CERT notes that a low skilled attacker could remotely exploit these vulnerabilities to execute arbitrary code. Invensys has produced a new version of their Tableau Dashboard Server that mitigates these vulnerabilities.
Invensys has come up with a unique way to deal with these vulnerabilities in older, unsupported systems. The advisory notes that:
“Customers currently using a version older than 1.5 SP1 are required to obtain a new license.”
There is always a bit of a disconnect between the interests of the vendor and the customer when it comes to correcting security deficiencies in older systems. Many owners (maybe most) will use a control system for a very long time; some long past any time that a reasonable vendor would spend money on developing and providing patches. Presumably this new license will provide the owners of older systems with a more supportable version of their system.
Ruby on Rails
The big question here is if this is really an Invensys security vulnerability. It certainly affects these Wonderware systems, but it is more properly a vulnerability in a third-party component (Tableau Server) of the system and that is based upon an open source program, Ruby on Rails.
As I have asked on a number of similar occasions, who else is using either Tableau Server or Ruby on Rails in their ICS system? Shouldn’t we expect to find these three vulnerabilities in their system as well?