Today DHS ICS-CERT published three advisories; a unique Crain-Sistrunk DNP3 vulnerability, a mitigation effort update and an advisory from the secure portal.
This advisory addresses an Uncontrolled Resources Consumption Vulnerability in the Schneider Electric ClearSCADA series of products. The vulnerability in the DNP3 system was reported by Crain-Sistrunk in a coordinated disclosure. Schnieder has produced a new software version that mitigates the vulnerability and Adam Crain has verified the efficacy of the fix.
ICS-CERT reports that a moderately skilled attacker could remotely exploit the vulnerability to cause DNP3Driver.exe to hang causing an interruption in the system processing. Essentially this is a denial of service (DOS) attack vector.
According to the Schneider Electric web site – they publicly disclosed this vulnerability on December 5th, 2013.
Sierra Wireless Advisory Update
This advisory update provides additional information about mitigation measures for the vulnerability reported last week. Sierra Wireless provides a vulnerability note dated January 10th suggesting that over-the-air firmware updates should not be done because “the update process, password data is transmitted to the device”. It recommends that the over-the-air programing feature be disabled.
The vulnerability note also as a recommendation for high-security applications:
“For high-security applications such as critical infrastructure monitoring, Sierra Wireless advises customers to deploy cellular devices using a Private Cellular Network or VPN to reduce the risk of an attacker capturing data transferred to/from the device.”
The pages that I reported last week did not mention that the device was discontinued now contain the following product status note: “Discontinued, still supported”.
This new information provides customers with a little more useable information than did the original advisory which essentially just said “Well we’ve discontinued the defective device, its now your problem”.
This advisory was originally released on the secure portal (on HSIN) last month and is now being released to the public. The advisory describes twin vulnerabilities affecting a variety of the WellinTech SCADA products. The vulnerability was reported by Andrea Micalizzi via the Zero Day Initiative (ZDI) in a coordinated disclosure. I was not able to find the ZDI listing for this vulnerability.
The twin vulnerabilities are:
• Information disclosure vulnerability, CVE-2013-2826; and
• ActiveX remote code execution vulnerability, CVE-2013-2827
NOTE: The CVE links are not yet active.
ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to either obtain system credentials or run arbitrary code in the dll. WellinTech has provided new versions of the affected software that mitigate the vulnerabilities. There is no mention of anyone verifying the efficacy of the new software versions in fixing these vulnerabilities.