There has been an interesting Twittversation about these vulnerabilities since I did my earlier post.
Carsten Eiram (@carsteneiram) provided a link to the original vulnerability report that Risk Based Security published after Schneider apparently published their original (though no longer available) advisory back in March of last year. While that report is not exactly ‘exploit code’ it certainly contains enough information that a reasonably competent hacker should be able to write their own.
Adam Crain (@jadamcrain; of DNP3 Fuzzing Fame) asked: “Any idea what took @ICS-CERT so long on this one?” This is certainly a good question since it has now been over a year since Schneider first publicly reported the vulnerability.
The delay is almost certainly related to the fact that Schneider is fixing the problem system by system. While the problem is reportedly in the common ModbusDriverSuite, the implementation of that suite in each of the eleven products is likely slightly different. According to the most recent Schneider advisory (dated September 13th, 2013) they don’t intend to issue product updates just for this vulnerability; the fix will be included in the next product update.
I suspect that either ICS-CERT finally got fed up with the slow pace of updates or they received some recent communication from Schneider that indicated that Schneider had effectively decided not to fix the other eight products. Either would certainly explain the following comment in yesterday’s ICS-CERT Advisory:
“Schneider Electric has no immediate plan [emphasis added] for updating the other identified software products.”
In any case, Schneider has left customers owning the below listed software in an unenviable position. Their control system has a publicly identified security vulnerability that there is only a network limitation fix available; a fix that individual customers may or may not be in a situation to be able to put into place.
• TwidoSuite Versions 2.31.04 and earlier (available next month?);
• PowerSuite Versions 2.6 and earlier;
• SoMove Versions 1.7 and earlier;
• SoMachine Versions 2.0, 3.0, 3.1, and 3.0 XS;
• UnityLoader Versions 2.3 and earlier;
• Concept Versions 2.6 SR7 and earlier;
• ModbusCommDTM sl Versions 2.1.2 and earlier;
• PL7 Versions 4.5 SP5 and earlier and
• SFT2841 Versions 14, 13.1 and earlier.
Maybe this push by ICS-CERT will speed up the process. Or maybe enough complaints from customers will provide the necessary impetus. Finally regulators that have cyber security controls available may want to ensure that folks with these systems are taking special precautions.