Today the DHS ICS-CERT published an update to yesterday’s alert about an automated road sign system and an advisory for a new vulnerability in OpenSSL. Neither system is what comes to most people’s minds when the term ‘industrial control system’ is mentioned. The first extends the definition because apparently ICS-CERT doesn’t already have enough on its plate and the second reminds us that secure communications is a key component of any secure cyber-system.
Daktronics Alert Update
Today’s update brings new information about the scope of the vulnerability and an expansion of the interim mitigation measures suggested by Daktronics and the Federal Highway Administration, the organization that notified ICS-CERT of this particular vulnerability.
According to Daktronics the ‘hard coded credential’ is actual a default password that can (and obviously should be) changed when the system is installed. I can understand why the FHA gets the two vulnerabilities confused, after all (SARCASM WARNING) they are a well-known font of control system security knowledge.
Then Update also includes three ‘device specific’ mitigation measures to add to the standard ICS-CERT generic security measures. The new mitigation suggestions are:
• Displays should not be on publicly accessible IP addresses. Placing a display on a private network or VPN helps mitigate the lack of security,
• Disable the telnet, webpage, and web LCD interfaces when not needed, and
• Change the default password to a strong password as soon as possible on all installed devices.
Nothing really new there; I hope that that is because ICS-CERT is not spending valuable resources on this particular vulnerability.
Remember how upset the control system security community was with the initial ICS-CERT about the HeartBleed vulnerability because there was so little actual control system information available in the initial advisory. Well the folks at ICS-CERT did not learn the lesson, today’s advisory about the multiple vulnerabilities recently corrected by OpenSSL contains even less information. They don’t even list the vulnerabilities involved.
According to the OpenSSL Security Advisory the vulnerabilities include:
• SSL/TLS MITM vulnerability (CVE-2014-0224)[This was the only vulnerability mentioned in the KB-CERT Advisory that I tweeted about this morning];
• DTLS recursion flaw (CVE-2014-0221);
• DTLS invalid fragment vulnerability (CVE-2014-0195);
• SSL_MODE_RELEASE_BUFFERS NULL point dereference (CVE-2014-0198);
• SSL_MODE_RELEASE_BUFFERS session injection or denial of service (CVE-2010-5298); and
• Anonymous ECDH denial of service (CVE-2014-3470)
In many ways we are in the same place we were when the HeartBleed alert was first published, we don’t know what systems use the vulnerable OpenSSL versions. ICS-CERT does point users at their HeartBleed affected list with the following comment:
“NCCIC/ICS-CERT has produced an OpenSSL affected/unaffected products list that specifies which vendors, products, and product versions are affected by the OpenSSL HeartBleed vulnerability. This document also contains a list of vendors, products, and product versions that evaluated their products and have asserted that their products are not affected by the OpenSSL HeartBleed vulnerability. Owners and operators of control systems might use this list to determine whether their equipment may also contain a version of OpenSSL that is affected by these newly reported vulnerabilities. This document will be updated as needed.”
This is helpful for some versions of OpenSSL, but version 0.9.8 were not affected by HeartBleed, but will be affected by some of the vulnerabilities listed above. So some of the vendors listed as clean for HeartBleed may actually have problems with some of these vulnerabilities.
Of course, this is the type of information that we would expect from ICS-CERT. Based upon the HeartBleed experience we can expect to see this type information in version D or E of this advisory. But we are kept up to date on Automated Road Sign vulnerabilities.