Today the DHS ICS-CERT published to control system security advisories for systems from Ecava and Schneider. Both advisories are based upon coordinated disclosures.
This advisory addresses multiple vulnerabilities in the IntegraXor SCADA Server. An Improper Privilege Management vulnerability was reported by Andrea Micalizzi and three other vulnerabilities were identified by Alain Homewood. Alain has verified the efficacy of the patch produced by Ecava to resolve the vulnerabilities that he identified. No information was provided on the efficacy of the fix for resolving the vulnerability identified by Andrea.
The four vulnerabilities identified in this system are:
● External control of file name or path, CVE-2014-2375;
● SQL injection, CVE-2014-2376;
● Sensitive information disclosure, CVE-2014-2377; and
● Improper privilege management, CVE-2014-2386.
ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities.
NOTE: This advisory was originally released to the US-CERT secure portal on August 12th. This was the advisory that I had referred to earlier. Readers that had access to the secure portal would have already known about this vulnerability.
This advisory address a buffer overflow vulnerability (been a while since we’ve seen one of those) in the VAMPSET software reported by Aivar Liimets of Martem AS. Schneider has produced an update that according to Aivar mitigates the vulnerability.
ICS-CERT reports that direct access to the relay is required for a successful attack. Schneider provides a more detailed description of the way the vulnerability works in their report on the vulnerability. That report also describes additional mitigation measures that can be taken by the system owner/operator.