Today the DHS ICS-CERT published four advisories for vulnerabilities in industrial control systems. The included vulnerabilities from InduSoft, Festo, Siemens and Certec. Only one advisory deals with HeartBleed. The advisory of note shows that ICS-CERT can get upset with vendor inaction.
This advisory describes a path traversal vulnerability in the InduSoft Web Studio application. It was reported by John Leitch in a coordinated disclosure through the Zero Day Initiative (ZDI). This advisory was originally released on the US-CERT secure portal on April 17th. A patch is available, but there is no indication that its efficacy has been evaluated by the researcher.
ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to gain further access that would allow arbitrary code execution.
This advisory describes multiple vulnerabilities in the Festo PLC. The vulnerabilities were reported by Reid Wightman of IOActive in a coordinated disclosure. ICS-CERT reports that Festo has opted to not address these vulnerabilities. The vulnerabilities include:
• Improper authentication (FTP Backdoor), CVE-2014-0760;
• Improper authentication (two unauthenticated ports), CVE-2014-0769;
• Improper access controls (using outdated CoDeSys runtime module), CVE-2012-6068; and
• Directory traversal (same outdated CoDeSys module), CVE-2012-6069
ICS-CERT reports that a relatively low skilled attacker could use publicly available code to remotely exploit these vulnerabilities.
I want to commend ICS-CERT for getting angry in one of their advisories, this is a situation that certainly appears to deserve an adversarial response. I think the best statement from ICS-CERT can be found in the Overview section of the Advisory:
“This advisory is being published to alert critical infrastructure asset owners of the risk of using this equipment [emphasis added] and for them to increase compensating measures if possible.”
I read Reid’s TWEET® about this advisory earlier today and was kind of surprised at his reaction. I am not surprised now. Again, kudos to ICS-CERT for reacting to this callous disregard for customer security. It will be interesting to see if there is a change in attitude Esslingen am Neckar, FRG.
This advisory addresses two vulnerabilities in the Siemens SIMATIC S7-1200 PLC family. This is a mix of self-reported and researcher reported vulnerabilities. The researchers from OpenSource Training are Ralf Spenneberg, Hendrik Schwartke, and Maik Brüggeman. Siemens reports that they have produced a new version that mitigates the vulnerabilities though there is no indication that the researchers have validated the efficacy of the fix. The vulnerabilities include:
• Cross site scripting, CVE-2014-2908; and
• Improper neutralization of CRLF sequences, CVE-2014-2909
ICS-CERT reports that it would take a skilled attacker with physical access gaining the assistance of an authorized user to exploit these vulnerabilities. A successful exploit could result in a DoS attack.
This advisory is the one that was foretold in yesterday’s blog post about ICS-CERT HeartBleed publications. The Certec atvise SCADA product is susceptible to the HeartBleed bug. An update that includes a newer version of the OpenSSL software has been made available.