Today the DHS ICS-CERT published an advisory for twin improper input validation vulnerabilities in products from Triangle MicrWorks. The vulnerabilities were reported by Adam Crain and Chis Sistrunk in a coordinated disclosure.
ICS-CERT reports that the twin vulnerabilities exist separately in serial and IP communications. The serial version is only locally exploitable and the IP version may be remotely exploited. ICS-CERT reports that a higher skill level is required to exploit the serial version of the vulnerability because “physical access to the device or some amount of social engineering is required”. I’m not sure why social engineering skills are considered to be a ‘high skill level’ unless they have determined that advanced social engineering skills are required for the serial exploit.
According to ICS-CERT the successful exploit of either version of the vulnerability could result in a denial of service situation because the software could be sent “into an infinite loop” requiring a manual reset.
Triangle MicroWorks has produced an update and release notes to resolve the vulnerabilities. Actually a causal review of the release notes makes it clear that much (32 pages of much) more than just this vulnerability was fixed in this update. It makes good sense to fix multiple problems in a single update, but I have to wonder if the release was delayed to fix these security vulnerabilities or if the release of the security fix was delayed to fix other problems as well. ICS-CERT reports that Adam has validated the efficacy of the update.
The Rest of the Story (apologies to Paul Harvey)
I got an interesting email from Adam pointing out that this is a bigger issue than it may look like in the advisory. Adam notes:
“Note that this is a source code library. TMW has > 50% market share. We don't know where this code is deployed/sold and DHS lacks authority to force disclosure.”
Now this is not an uncommon problem. In fact, I have mentioned similar situations with a number of software vulnerabilities as have others. Fortunately (sarcasm alert) this is only a denial of service vulnerability. It’s not like it allows an attacker to execute arbitrary code, so it’s not a real problem (end sarcasm alert).
Adam makes a good point about the lack of authority of DHS, except that he’s making that lack of authority too specific in his complaint. Let’s face it, outside of the federal government, DHS (and most emphatically including ICS-CERT) has no cybersecurity authority to compel industry to do anything. At most they have the gentle power of persuasion and the threat of disclosure to try to modify the behavior of the advised (as opposed to regulated) industries.
If this had been an uncoordinated disclosure, Adam would have had exploit code posted on a web site somewhere and other researchers could have explored other DNP3 applications to see if the same exploit could be found on other systems. Without that that other researchers will just have to look at a variety of TCP packets to see what works on the Triangle MicroWorks supported systems and then evaluate the rediscovered exploits (or maybe new ones, you never can tell) on other systems. That probably won’t be a significant delay.
This raises a couple of interesting questions:
How many of the ‘other’ researchers will notify the vendor in a coordinated disclosure versus selling the vulnerability to the highest bidder?
Has Triangle MicroWorks notified each of it customers that the vulnerability is affecting their systems?
How many of the downstream vendors do not have the application expertise to adapt the Triangle MicroWorks update to their own system.