Yesterday the DHS ICS-CERT published two new advisories; one for the Siemens WinCC application and another for the MatrikonOPC for DNP application.
This advisory is for two vulnerabilities in SIMATIC WinCC, both as a stand alone application and as implemented in SIMATIC PCS7 and TIA Portal. These are apparently self-identified vulnerabilities for which Siemens has updates for some of the affected products and is working on updates for the others.
ICS-CERT identifies the vulnerabilities as:
• Remote code execution - CVE-2014-8551; and
• Transfer/extract files - CVE-2014-8552.
Interestingly this tells us what the exploit of the vulnerability is not what the vulnerability is. The Siemens ProductCERT advisory is not any more forthcoming on this topic than is the ICS-CERT Advisory. I suspect that any more detailed description of the actual vulnerability would make it easy for the average hacker to figure out how to exploit these vulnerabilities.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities. ICS-CERT reports that a exploits for these vulnerabilities may already be available and these vulnerabilities “may have been exploited during a recent campaign”. Siemens acknowledges assistance from Symantec Deepsight Intelligence which may substantiate that claim.
Siemens published their advisory on Friday. I noted in a TWEET® on Friday morning the unusual lack of description of the type of vulnerability. With the apparent level of risk involved and the wide spread use of these applications I am very surprised (and disconcerted) that ICS-CERT took this long to publish this advisory.
This advisory reports an unhandled C++ exception vulnerability in the MatrikonOPC DNP3 application. The vulnerability was reported by Crain-Sistrunk and was discovered under their Project Robus using their Aegis Fuzzer (I ought to charge these guys advertising fees, but I like their chutzpah too much). It looks like this is now 26 reported of 31 disclosed for the DNP3 protocol and this is a different vulnerability than most of those previously reported by this team.
ICS-CERT reports that MatrikonOPC has produced a new version that mitigates this vulnerability but does not say that Crain-Sistrunk have verified the efficacy of that mitigation.
ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability to effect a denial of service attack that would require a manual reboot of the system. The MatrikonOPC Security Notification that a successful exploit would “require expert knowledge of both the DNP3 protocol and an in-depth understanding of the vulnerability that exists in the affected versions of the MatrikonOPC Server for DNP3”.
MatrikonOPC published their notice on October 22nd, over a month ago. There is no indication in the ICS-CERT advisory that this had been released on the US-CERT Secure Portal, so I wonder why it took so long for this advisory to be published? Could they have been trying to convince MatrikonOPC to allow Crain-Sistrunk to verify that their update worked?