Today the DHS ICS-CERT published advisories for vulnerabilities in Honeywell’s Experion Process Knowledge System and Innominate mGuard and updated previously issued advisories for Siemens and Emerson control systems.
This update clarifies information that was published in an update two weeks ago. The earlier update added a new vulnerability to the advisory and the wording implied that the previously issued update mitigated that vulnerability as well. There was an interesting twitversation about this wording and it appears that someone may have been listening (a good thing).
ICS-CERT now clarifies that the patch mitigates all but the recently added authentication bypass vulnerability. That vulnerability is what requires the use of the third-party secure router for mitigation. There is also some interesting changes in the wording about the use of that router. Originally ICS-CERT reported that:
“Emerson asserts that by adding the EDR810 between the host and the field device it is virtually impossible for an attacker to eavesdrop on communications or falsify commands.”
The new wording is a bit less bombastic and limited in the claims:
“At this time, Emerson recommends that concerned asset owners install the EDR 810 between the host and the field device to mitigate this vulnerability.”
I suspect that someone’s lawyer got involved.
This advisory describes a self-reported privilege escalation vulnerability in the Innominate mGuard devices. They have produced a firmware patch that reportedly mitigates the vulnerability.
ICS-CERT reports that a moderately skilled attacker who has admin privileges on the system could remotely exploit this vulnerability to increase those to root privileges to execute arbitrary commands. Innominate reports that in most installations the personnel with admin and root privileges are the same so that this vulnerability would have no effect in those cases.
BTW: Innominate also reported that there is a denial of service vulnerability found in a slightly different set of mGuard devices because of the way they use OpenVPN connection to
tunnel IPSec packets. I wonder why ICS-CERT didn’t publish an advisory for this vulnerability since it was also published yesterday by Innominate.
This advisory describes five vulnerabilities in the Honeywell Experion Process Knowledge System (EPKS) application. The vulnerabilities were reported by Alexander Tlyapov, Gleb Gritsai, Kirill Nesterov, Artem Chaykin and Ilya Karpov of the Positive Technologies Research Team and Security Lab. ICS-CERT reports that Honeywell have developed patch updates for the affected products, but does not say that the researchers have validated the efficacy of the patches.
The five vulnerabilities include:
• Heap-based buffer overflow - CVE-2014-9187;
• Stack-based buffer overflow - CVE-2014-9189;
• Arbitrary memory write - CVE-2014-5435;
• Directory transversal - CVE-2014-5436; and
• File inclusion - CVE-2014-9186
ICS-CERT reports that a moderately skilled attacker could remotely exploit these vulnerabilities to effect remote code execution or potential information disclosure. I can find no information on the public Honeywell web site about these vulnerabilities.