Today the DHS ICS-CERT published an
advisory for twin improper input validation vulnerabilities in products
from Triangle MicrWorks. The vulnerabilities were reported by Adam Crain and
Chis Sistrunk in a coordinated disclosure.
The Advisory
ICS-CERT reports that the twin vulnerabilities exist
separately in serial and IP communications. The serial version is only locally
exploitable and the IP version may be remotely exploited. ICS-CERT reports that
a higher skill level is required to exploit the serial version of the
vulnerability because “physical access to the device or some amount of social
engineering is required”. I’m not sure why social engineering skills are
considered to be a ‘high skill level’ unless they have determined that advanced
social engineering skills are required for the serial exploit.
According to ICS-CERT the successful exploit of either
version of the vulnerability could result in a denial of service situation
because the software could be sent “into an infinite loop” requiring a manual
reset.
Triangle MicroWorks has produced an update and release
notes to resolve the vulnerabilities. Actually a causal review of the release
notes makes it clear that much (32 pages of much) more than just this
vulnerability was fixed in this update. It makes good sense to fix multiple
problems in a single update, but I have to wonder if the release was delayed to
fix these security vulnerabilities or if the release of the security fix was
delayed to fix other problems as well. ICS-CERT reports that Adam has validated
the efficacy of the update.
The Rest of the Story
(apologies to Paul Harvey)
I got an interesting email from Adam pointing out that this
is a bigger issue than it may look like in the advisory. Adam notes:
“Note that this is a source code
library. TMW has > 50% market share. We don't know where this code is
deployed/sold and DHS lacks authority to force disclosure.”
Now this is not an uncommon problem. In fact, I have
mentioned similar situations with a number of software vulnerabilities as have
others. Fortunately (sarcasm alert) this is only a denial of service
vulnerability. It’s not like it allows an attacker to execute arbitrary code,
so it’s not a real problem (end sarcasm alert).
Adam makes a good point about the lack of authority of DHS,
except that he’s making that lack of authority too specific in his complaint.
Let’s face it, outside of the federal government, DHS (and most emphatically
including ICS-CERT) has no cybersecurity authority to compel industry to do
anything. At most they have the gentle power of persuasion and the threat of
disclosure to try to modify the behavior of the advised (as opposed to
regulated) industries.
If this had been an uncoordinated disclosure, Adam would
have had exploit code posted on a web site somewhere and other researchers
could have explored other DNP3 applications to see if the same exploit could be
found on other systems. Without that that other researchers will just have to
look at a variety of TCP packets to see what works on the Triangle MicroWorks
supported systems and then evaluate the
rediscovered exploits (or maybe new ones, you never can tell) on other systems.
That probably won’t be a significant delay.
This raises a couple of interesting questions:
How many of the ‘other’ researchers
will notify the vendor in a coordinated disclosure versus selling the
vulnerability to the highest bidder?
Has Triangle MicroWorks notified
each of it customers that the vulnerability is affecting their systems?
How many of the downstream vendors
do not have the application expertise to
adapt the Triangle MicroWorks update to their own system.
Posts
No comments:
Post a Comment