Today (a Federal Holiday in case you didn’t notice) the DHS ICS-CERT published an advisory for twin ActiveX component vulnerabilities in the Rockwell Connected Components Workbench (CCW) application; actually the way the advisory is written and CVE’d it is a single vulnerability in two separate Active X components. The vulnerability was reported by Andrea Micalizzi (working through ZDI) in a coordinated disclosure. Rockwell has produced a new software version that mitigates the vulnerability and apparently self-certified its efficacy instead of inviting rgod (okay nom de hacks are not necessarily classy) to do so.
ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to execute arbitrary code.
There are a bunch of minor oddities about this advisory:
- It was published on Veterans Day. I was going to commend ICS-CERT for working on a holiday to get this information out, but it had been previously released on the US-CERT Secure Portal earlier in the month so another day would not have made an appreciable difference.
- The advisory does not name the two ActiveX components and the Rockwell information is locked in a customer only section of their web site.
- Looking at the ZDI site it looks like these ActiveX components were identified/reported on different days under different ZDI file numbers (ZDI-CAN-2417 and ZDI-CAN-2418). I can’t tell for sure because it is still listed on the “Upcoming Advisories” page.
- ICS-CERT is very careful not report that the two unnamed ActiveX components do not have to be open or running for their vulnerability to be exploited.
From the way things are written and not said, it sounds like these ActiveX components were from an outside source. That might mean that they are in other vendor systems as well. Having the component names might make it easier for other vendors to search for and repair the vulnerabilities in their products.
BTW: ICS-CERT missed yesterday’s announcement by Siemens ProductCERT of their Poodle vulnerability. This was particularly interesting because of how difficult the SSL3 vulnerability would reportedly be to exploit and Siemens was reporting mitigation measures anyway (deactivate SSL and use TLS instead).