This afternoon the DHS ICS-CERT published advisories for control systems from two major vendors, Siemens and Rockwell. Both advisories were based upon vulnerabilities discovered by outside researchers that were revealed in coordinated disclosures.
This advisory is based upon information disclosed in a Siemens ProductCERT advisory released Monday morning for SIMATIC WinCC OA. The multiple vulnerabilities covered in these advisories were discovered by Gleb Gritsai, Ilya Karpov, and Kirill Nesterov of Positive Technologies. The vulnerabilities were:
• Improper control of generation of code, CVE-2014-1697;
• Relative path traversal, CVE-2014-1698;
• Improper input validation, CVE-2014-1699; and
• Use of password hash with insufficient computational effort, CVE-2014-1696
NOTE: The CVE links have not yet become active.
Both advisories note that a moderately skilled attacker could remotely exploit the vulnerabilities to escalate their privileges, perform remote code execution, traverse through file systems, or cause a denial of service. Siemens does note that an attacker would have to have network access to exploit these vulnerabilities.
Siemens has produced software updates for systems affected by these vulnerabilities. Neither advisory mentions if the vulnerability discoverers have had a chance to verify the efficacy of the updates.
This advisory is based upon a vulnerability reported by Stephen Dunlap in a coordinated disclosure. Dunlap reported an insufficiently protected credential vulnerability in the RSLogix 5000 software. This advisory was previously posted to the US-CERT protected portal to allow system owners a chance to upgrade their systems before the vulnerability became public.
The vulnerability could allow an attacker to access and tamper with information in controller configuration programs. Not mentioned in the advisory is the fact that these files would provide invaluable information for an attacker to develop an exploit based upon some other access to the system.
ICS-CERT notes that a moderately skilled attacker could exploit the vulnerability through local access to the system when an authorized user accesses their password.
Rockwell has produced new versions of the RSLogix 5000 software that addresses these vulnerabilities. There is no mention of whether or not Dunlap has been provided an opportunity to verify the efficacy of the update software versions. Project files modified with the newer versions of the software cannot be opened by earlier versions. This means that an organization would have to upgrade all of their systems operating on the RSLogix 5000 software.