Today ICS-CERT published three new advisories for vulnerabilities in systems from Siemens and Schweitzer Engineering Laboratories (SEL) and updated a very recently published advisory from Schneider Electric.
This has got to be one of the fastest advisory updates, on Monday ICS-CERT published the advisory and today the published the update. The update provides a reference to the update to the original alert that reported Schneider’s claim that two of the four reported vulnerabilities were not actually vulnerabilities. It goes on to provide some more detailed explanation of Schneider’s reasoning.
This update also addresses an issue I raised in my blog post, the failure of Schneider to produce a patch or update to correct the two acknowledged vulnerabilities, relying instead on recommendations (detailed recommendations to be sure) for the use of a firewall to prevent unauthorized access to the vulnerabilities.
The updated advisory explains that Schneider “does not plan to issue patches because of their complex nature. Schneider Electric says that fixing these vulnerabilities would require significant changes to existing protocols and make any customer solutions currently using these features incompatible” (pg 2).
Now I’m not a software engineer, so I can’t comment on the complexity of fixing the problem, but I know that I’m not alone in thinking that this is a short-sighted response from Schneider. A commenter today on one of the LinkedIn groups where I started a discussion about yesterday’s blog post said:
“Looks like we will be looking at adding Tofino firewalls to their systems. Long term we will be looking at migrating away from hardware with known issues as it is only a matter of time before something gets around the firewall.”
This advisory describes an improper authorization vulnerability in the SEL AcSELerator QuickSet software reported by Michael Toecker of DigitalBond. The vulnerability was initially disclosed to the vendor, but it was then reported at the S4 Conference in January. Since it was a coordinated disclosure, ICS-CERT did not issue an alert on the vulnerability when it was publicly disclosed in January. (NOTE: See Michael’s DigitalBond blog post about vendor responses to disclosures which mentions this vulnerability.)
The advisory reports that a highly skilled attacker could use this vulnerability to replace executables within the SEL Program Files directory. The attacker would require access to the computer as an authorized user to exploit this vulnerability.
SEL has produced a new version of the affected software that only allows an authenticated Administrator to change executables. The advisory does not mention if they or Michael have verified the efficacy of the new version to correct this vulnerability. Does that mean that there has been no verification or that the drafter of this advisory simply failed to mention the fact? Please, let’s have some consistency here.
Siemens WinCC Advisory
This advisory describes multiple vulnerabilities reported by Sergey Gordeychik of Positive Technologies and Siemens ProductCERT in a coordinated disclosure. The vulnerabilities include:
• Missing encryption of sensitive data, CVE-2013-0678;
• Relative path traversal, CVE-2013-0679; and
ICS-CERT reports that a low to medium skilled attacker could remotely exploit these vulnerabilities to execute a DoS attack, gain read access to files or remotely execute arbitrary code. Siemens has produced an updated version of the software that is available through customer support.
Siemens WinCC TIA Portal Advisory
This advisory describes multiple vulnerabilities affecting the Siemens WinCC TIA Portal (HMI) that were reported by multiple researchers (Billy Rios and Terry McCorkle of Cylance; Gleb Gritsai, Sergey Bobrov, Roman Ilin, Artem Chaykin, Timur Yunusov, and Ilya Karpov from Positive Technologies; and Shawn Merdinger). The vulnerabilities include:
• Insecure password storage, CVE-2011-4515;
• Improper input validation, CVE-2013-0669;
• Cross-site scripting, CVE-2013-0672;
• Directory Traversal, CVE-2013-0671;
• HTTP response splitting, CVE-2013-0670;
• Server-side script injection, CVE-2013-0667 (Note there is a typo in the link printed in the advisory, it has been corrected here); and
• Reflected cross-site scripting, CVE-2013-0668
ICS-CERT reports that a low to medium skilled attacker using a social engineering attack or having valid user credentials could exploit these vulnerabilities to execute a Dos attack, gain access to system files, or execute arbitrary code. Siemens has produced an updated version of the software, but recommends disabling the web server as a work-around for the web based vulnerabilities until the new software can be installed.