Yesterday afternoon DHS ICS-CERT published an advisory providing mitigation strategies for multiple vulnerabilities identified in an ICS-CERT alert issued in January for a variety of Schneider PLC systems. That alert was issued concerning vulnerabilities identified by Arthur Gervais and disclosed during this year’s S4 Conference. Readers may remember that an update for that alert had been issued earlier this month reporting that two of the vulnerabilities identified by Arthur were not actually vulnerabilities. That alert update is not mentioned in this advisory.
This advisory reports that there are two confirmed vulnerabilities in the identified Schneider products. They are:
• Improper authentication – CVE-2013-0664; and
• Cross-site request forgery – CVE-2013-0663.
The advisory reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to execute arbitrary commands on the PLC or to modify I/O data being transmitted to or from the PLC.
According to the advisory Schneider has not produced a patch or update to remediate these vulnerabilities. Instead they have produced a vulnerability disclosure notification that recommends:
• That owner/operators not connect the affected PLC modules to an untrusted network;
• If such a connection is required, owner/operators should block all HTTP access to the module from untrusted IP addresses using a firewall, and only allow HTTP connections from known IP addresses from secured workstations.
Actually, the Schneider document explains things a little differently. For the improper authentication vulnerability Schneider explains that:
“The execution of Modbus messages via SOAP commands is a standard function of the modules that support FactoryCast service.”
What Schneider obviously misses is not that the SOAP commands are a vulnerability, but that the inadequate authentication of the source of those commands is the problem.
For the cross-site request forgery vulnerability Schneider notes that the “vulnerability is extremely difficult to exploit”. What is apparently left unsaid is that Schneider doesn’t think a vulnerability this difficult to exploit is worth fixing. Oops, I forgot, ICS-CERT said that a relatively unskilled attacker could exploit this vulnerability. I wonder who is actually correct?
But then again, Arthur not only exploited the vulnerability but he was able to find. Now that other researchers know that it exists and generally how to find it, I suspect that there are a significant number of people that could exploit this ‘extremely difficult to exploit’ vulnerability. Isn’t it about time that we finally threw out the ‘security by obscurity’ model?
Schneider does provide instructions for configuring a Tofino® firewall to protect against attacks via these two vulnerabilities.
A Third Vulnerability
The vulnerability disclosure notification that describes the two vulnerabilities identified in this advisory also discloses a third vulnerability that was apparently identified by an internal Schneider research effort. Schneider describes this as an ability to “crash M340 Ethernet modules when transferring files using FileZilla FTP Client”. Schneider has produced a firmware update that mitigates this vulnerability.
What I find interesting is that the vulnerability disclosure notification is dated January 23rd, 2013 and I don’t recall seeing an ICS-CERT advisory covering this third vulnerability.
Actually the timing of the Schneider document makes one wonder why the earlier alert update was published at all. The information provided in yesterday’s advisory was available on January 23rd so this advisory, with a suitable explanation of why two of the vulnerabilities were not vulnerabilities, could have been published a week before the updated alert was published. Even if Schneider wanted to embargo that release so that they could notify their customers, ICS-CERT could have published the advisory on the US CERT secure portal.