Back in January, ICS-CERT issued an alert for four
vulnerabilities in three Schneider Electric products; vulnerabilities that were
reported by Arthur Gervais during the S4 Conference held by Digital Bond. The
update to that alert published today reports that two of those vulnerabilities
were not really vulnerabilities.
M340 PLC Resource
Exhaustion
ICS-CERT reports that:
“In Schneider Electric’s testing on
the reported issue, the module does in fact stop communicating when the
connection limit is exceeded, but the PLC continues its control functions and
its operation is unaffected.”
The resulting soft-reset of the communications module would
not allow a remote exploit of the vulnerability to deny PLC control functions.
From this brief description it seems to me that, depending on how easy it is to
cause the system to exceed the connection limit, this still could allow an
attacker to cause a loss of view of the system. While that is not as nearly a
serious matter as loss of control, it would still be an exploitable vulnerability.
Magelis XBT Hardcoded
Credentials
ICS-CERT notes that the reported hardcoded credential in the
HMI panel is a factory default password for the security mode that is used to
enable remote configuration uploads. The updated alert states that once “the
user supplies a new password, the factory default password is no longer valid.”
I find it hard to believe that an experienced security researcher would confuse
an erasable default password with a hardcoded password, but mistakes do happen.
No Confirmation
If this had been a coordinated disclosure, ICS-CERT would
have gone back to Arthur to confirm the information reported by Schneider.
Since this was an uncoordinated disclosure, that does not appear to have been
done. Hopefully, ICS-CERT has independently confirmed the Schneider interpretation
of the situation involved in these reported vulnerabilities. There is no
statement in the revised alert indicating that this has happened.
TLP Markings
There is a document marking system employed on this updated
alert that I have not seen employed by ICS-CERT before on their alerts or
advisories; the Traffic Light Protocol. This document is marked “TLP = WHITE”.
US CERT has a Traffic
Light Protocol page on its web site that explains the marking system. It
explains that:
“The Traffic Light Protocol (TLP)
is a set of designations used to ensure that sensitive information is shared
with the correct audience. It employs four colors [Red, Amber, Green – hence ‘traffic
light’ – and White) to indicate different degrees of sensitivity and the
corresponding sharing considerations to be applied by the recipient(s).”
The page also explains where the program falls within the Controlled
Unclassified Information (CUI) program established by Executive
Order 13556:
“The Controlled Unclassified
Information (CUI) program seeks to standardize the way U.S. Executive
departments and agencies handle sensitive but unclassified (SBU) information,
including information marked as "For Official Use Only (FOUO),"
"Law Enforcement Sensitive (LES)," and others. It should be noted
that the TLP designations are not a category or sub-category under the CUI
program.”
So it seems that US CERT is violating the spirit of EO
13556. I have to emphasize that it can only violate the spirit of the EO since
the regulations that were supposed to have been published back in 2011 have yet
to be published.
Posts
No comments:
Post a Comment