This afternoon the DHS ICS-CERT published an update of an older advisory for Rockwell Allen-Bradley Micrologic and a new advisory for IOServer’s OPC Drivers. While not listed on the ICS-CERT landing page, they have also updated yesterday’s alert for the HeartBleed vulnerability.
Rockwell Allen-Bradley Update
This advisory was originally published on 12-7-12 and then updated four days later. Today’s update advises that:
• Rockwell has now produced a patch to mitigate the fault generation vulnerability; the previous update noted that Rockwell was considering if a patch would be produced;
• The CVSS v2 base score of 8.5 has been recalculated to be a CVSS v2 base score of 7.1. The new CVSS vector string is (AV:N/AC:M/Au:N/C:N/I:N/A:C); and
• A new Rockwell Automation report (registration required) was published on this vulnerability last summer.
This appears to be a late ICS-CERT response to a less than timely vendor response. To be fair to ICS-CERT, however, Rockwell may not have kept them up to date on the actions taken on this vulnerability.
This advisory addresses a Crain-Sistrunk reported improper input validation vulnerability in the OPC Driver (fooled you, not the DNP3 Driver) from IOServer. It was, as we have come to expect from this duo, a coordinated disclosure.
ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability to send information to the system that could “lead to parts of the system receiving unintended input, which may result in altered control flow or arbitrary control of a resource”. This sounds very close to saying ‘exploit arbitrary code’.
This advisory is full of surprises. It reports that:
“Adam Crain and Chris Sistrunk updated and tested this version and validated that this vulnerability is resolved.”
We apparently have a new standard for independent researchers; find it, report it, fix it and verify that the fix works. The vendors can now take a long lunch break.
ICS-CERT has updated yesterday’s HeartBleed alert with some information that may be pertinent to control system security. It provides a little more detail about the vulnerability itself and includes a link to a blog post about yesterday’s Sans briefing (with links to the slides for the briefing) by Jacob Williams. This looks like some good technical information, though not specifically about control system vulnerabilities tied to HeartBleed.
The update also includes the intended scare phrase “ICS-CERT is aware of several instances of targeted active exploitation of this vulnerability” while never stating that those exploits have targeted control systems. I would assume that they did not (yet, at least).
The alert now includes instructions for developers for a work around if the new version of OpenSSL cannot be loaded. It also has an example of an IDS signature for detecting an exploit of this vulnerability.
You can’t tell just by looking at this update (it is outside of the red-bordered change areas), but ICS-CERT removed an embarrassing bit of boilerplate from the alert. It no longer refers to using a VPN to remotely access control systems. It would have been better if the boiler plate had been changed instead of removed. It is important that current control system users of VPN’s know that this is a prime potential area for running into HeartBleed and that the VPN should probably not be used until it has been checked for the vulnerability and fixed if necessary.