This afternoon the DHS ICS-CERT published advisories for vulnerabilities in four different control systems. The vendors include: Advantech, Siemens, WellinTech and OSISoft. All were coordinated disclosures.
This advisory is for multiple vulnerabilities in Advantech WebAcess product. The vulnerabilities were coordinated through the ZDI initiative (still on the ‘Upcoming’ ZDI page) by Andrea Micalizzi (aka rgod), Tom Gallagher, and an independent anonymous researcher. ICS-CERT reports that Advantech has produced a new version of the software that corrects the problem but does not say that anyone had verified the efficacy of the update.
The vulnerabilities are:
• SQL injection, CVE-2014-0763;
• Stack based buffer overflow (5), CVE-2014-0764, CVE-2014-0765, CVE-2014-0766, CVE-2014-0767, CVE-2014-0768;
• Command injection, CVE-2014-0773
ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to execute arbitrary code or read files stored on the target machine.
This advisory is for a Browser Exploit Against SSL/TLS (BEAST) vulnerability (Note: this is not associated with the HeartBleed SSL/TLS bug) in the Ruggedcom Win product line. The vulnerability was reported to Siemens ProductCERT by Dan Frein and Paul Cotter of West Monroe Partners. Siemens has produced a firmware update that resolves the incompatibility issue. The Siemens ProductCERT Advisory describes additional mitigation techniques.
ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability to access the session ID of the current user. That could be used to read traffic exchanged between the user and the device.
This advisory describes a stack-based buffer overflow vulnerability in the KingSCADA application that was reported by an anonymous researcher through ZDI. WellinTech has produced a patch that mitigates the vulnerability, though there is nothing in the advisory that indicates that the mitigation has been independently verified.
ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to execute arbitrary code.
According to the WellinTech web site, the patch was made available on March 27th, 2014.
This advisory is a Crain-Sistrunk reported vulnerability in the PI Interface for DNP3 and it the typical improper input validation vulnerability in both the IP and serial communication modes of the device.
ICS-CERT reports that while a moderately skilled attacker could remotely exploit the IP vulnerability, that it would take a more skilled attacker with physical access to exploit the serial interface vulnerability. As I have said on previous occasions I disagree with the term ‘skilled attacker’ to describe the exploit requirements for plugging in a serial cable in an unmanned facility.
It has been almost two months since the last Crain-Sistrunk vulnerability was reported by ICS-CERT. According to the Project Robus web site, only 17 of 28 (it should now read 18 of 28) DNP3 vulnerable systems have been reported by ICS-CERT. I asked Adam Crain about this in a Twitversation today and he explained that most of the remaining vendors are not talking to ICS-CERT.
Given their adamant stand on coordinated disclosures, it is unlikely that Adam or Chris will out any of these vendors any time soon. So, if you have an DNP3 system that has not yet been outed by ICS-CERT then you might want to download the Crain-Sistrunk fuzzer and check your system for yourself.