Earlier today the DHS ICS-CERT published an advisory covering multiple vulnerabilities in Invensys Wonderware Information Server products. The coordinated disclosure was made by Timur Yunusov, Alexey Osipov, and Ilya Karpov of the Positive Technologies Research Team. The multiple vulnerabilities included:
• Cross-site scripting, CVE-2013-0688;
• SQL injection, CVE-2013-0684;
• Inproper input validation, CVE-2013-0686; and
• Resource exhaustion, CVE-2013-0685.
NOTE: These CVE links will not be functional for a couple of days.
ICS-CERT reports that a moderately skilled attacker could remotely exploit these vulnerabilities to execute remote code, disclose information, or perform session credential high jacking. The advisory notes that Invensys has developed a software update (registration required) that has been verified by PTR to mitigate the identified vulnerabilities.
These are old school vulnerabilities that should have been identified a long time back. I think the reason they are just turning up now is that they are in an ICS server. It looks like researchers are expanding the areas in which they are searching for ICS vulnerabilities. How many other types of ICS equipment will have similar vulnerabilities that would allow access to the control system?
BTW: A couple of posts back I noted that ICS-CERT had changed their format for these advisories and that one of the changes was the removal of the Traffic Light Protocol (TLP) markings. I just noticed that this advisory still includes a description of the TLP white marking that shows up near the top of page 3 on the .PDF saved version of the advisory. This is the first time this FAQ has shown up on an advisory since the format change.