While everyone is still talking about Black Energy the DHS ICS-CERT released three advisories today concerning lesser vulnerabilities in three applications used in control systems communications. One was a follow up to an alert issued last Halloween, while the other two are newer vulnerabilities that were released earlier this month on the US-CERT secure portal.
Last Halloween ICS-CERT published an alert about an uncoordinated disclosure (complete with exploit) of a cross-site scripting vulnerability in the Nordex Control 2 (NC2) application. Today ICS-CERT announced that Nordex has (I think) produced a patch to mitigate the vulnerability; needless to say no one has contacted the uncooperative researcher, Darius Freamon, to verify its efficacy.
ICS-CERT reports that a relatively low skilled attacker could use the publicly available exploit to remotely “execute arbitrary script code in the user’s browser”.
I said ‘I think’ parenthetically above because of the wording of the following sentence in today’s advisory:
“Nordex will release a patch for all affected NC2-SCADA versions until the end of 2014.”
I think that that means that the patch is available but Nordex will only be applying the patches through the end of the year. The Advisory notes that the patching of the wind turbine control system has to be done by Nordex. A year to wait for the vendor to fix a cross-site scripting error and then have to wait until they can get around to your site to apply the fix; I hope Nordex is including all of this in their sales material.
This advisory reports another cross-site scripting vulnerability, this time in Meinberg Radio Clocks GmbH & Co. KG LANTIME M400 web interface. This was originally reported by Aivar Liimets of Martem Telecontrol Systems in a coordinated disclosure. ICS-CERT reports that Meinberg has produced a firmware update that has been verified by Liimets. This advisory was originally released on the US-CERT secure portal on October 2nd.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to “cause the time server to provide misinformation to devices”.
This advisory reports two authentication vulnerabilities in the AXN-NET Ethernet module from Accuenergy. The vulnerabilities were reported by Laisvis Lingvevicius in a coordinated disclosure. According to ICS-CERT Accuenergy has produced a firmware update that has been validated by Lingvevicius. This advisory was also released on the US-CERT secure portal on October 2nd.
The two vulnerabilities are:
• Authentication bypass vulnerability, CVE-2014-2373; and
• Password disclosure vulnerability, CVE-2014-2374
ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to change network settings for the AXM-NET module web server as part of a denial of service attack.
Interestingly, the Accuenergy web site offers the following information about the firmware update:
“Redesign and improve encryption method on web-server, tested and verified by Department of Homeland Security, industrial control system cyber emergency response team [sic]”.
In light of discussions about what ICS-CERT really does (see most recently Dale Peterson’s blog post “What Does ICS-CERT Do?”) it is nice to see positive signs of actual involvement in the process of fixing vulnerabilities. Of course there are lots of businesses out there that are trying to make payroll by doing the same sort of thing.
Of course Accuenergy could just be blowing smoke to try to make their own efforts look good.