Yesterday ICS-CERT published alerts for systems from Clorius Controls and Mitsubishi and an advisory for a Wind River product.
Wind River Advisory
This advisory is for multiple vulnerabilities in the Wind River VxWorks Remote Terminal Operating System (RTOS) reported by Hisashi Kojima and Masahiro Nakada of Fujitsu Laboratories in a coordinated disclosure. VxWorks is an operating system that is used in a variety of industrial control systems. The vulnerabilities include:
• Improper input validation, CVE-2013-0711, CVE-2013-0712, CVE-2013-0713, CVE-2013-0714, CVE-2013-0716; and
• Command injection, CVE-2013-0715.
ICS-CERT notes that a relatively low skilled attacker could remotely exploit these vulnerabilities though a couple require a user ID and password to exploit. Successful exploitation could lead to a DoS attack in most cases but exploitation of one of the improper validation vulnerabilities could lead to arbitrary code execution.
The advisory notes that “[a]ccording to Wind River, software patches” (pg 5) are available from Wind River technical support for all VxWork versions. This wording probably indicates that neither ICS-CERT nor the original researchers have validated the efficacy of the patches.
It would be helpful in situations like this where a vulnerability may affect products from multiple vendors if the advisory would note that either the reported mitigation would work on multiple vendor products or which vendor’s products were or were not protected by the mitigation measure. ICS-CERT would be the only organization that could possibly address this multiple vendor issue. As it is we must just assume that every product that uses VxWorks has these vulnerabilities and must be separately addressed by the using vendor.
This alert addresses a heap-based buffer overflow vulnerability in an ActiveX control in the Mitsubishi MX SCADA/HMI product. The vulnerability disclosure (with exploit code) was reported by Dr IDE (not identified on the ICS-CERT alert) on the OSVDB.org web site on 3-26-13. The remotely exploitable vulnerability could result in arbitrary code execution.
Clorius Controls Alert
This alert addresses an information disclosure vulnerability in the Clorius Controls ICS SCADA product. This remotely exploitable vulnerability with publicly available exploit code could result in ‘loss of confidentiality’. The alert notes that ICS-CERT is still trying to contact the researcher and Clorius Controls about this vulnerability.
Standard verbiage in both alerts clearly state that ICS-CERT will provide attribution of the researcher who discovered the vulnerability unless “unless the reporter notifies ICS-CERT that they wish to remain anonymous”. That does not appear to be the case in either of these alerts; Dr IDE is clearly identified in the OSVDG report so he has no anonymity beyond his handle and ICS-CERT apparently hasn’t been able to contact the Clorius Controls researcher. Thus it appears that ICS-CERT is slipping back into its adversarial mode in dealing with authors of uncoordinated disclosures.
The bad news here is that the black hat community may have access to details about the Clorius Controls vulnerability that the vendor and owners may not be aware of. At least in the Mitsubishi alert ICS-CERT provided a link to the OSVDB web site discussing the vulnerability so that we all have a general picture of the vulnerability and a level playing field (though it was seven days late).