The afternoon the DHS ICS-CERT updated (up to ‘F’ now) their Situational Awareness Alert for the OpenSSL vulnerability. They also published new advisories for vulnerabilities in systems from Trihedral Engineering and Yokogawa.
This update adds ABB to the list of vendors with affected products. The Relion 650 series has a patch available to mitigate the vulnerability. There is no explanation as to why this update was so long in coming. The last HeartBleed update was published back in April and ABB published their advisory in July.
This advisory describes an integer overflow vulnerability in their VTS and VTScada products. The vulnerability was reported by an anonymous researcher through ZDI. ICS-CERT reports that Trihedral has produced a patch that mitigates the vulnerability.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to cause the application to crash.
Interestingly the Trihedral update page says nothing about this vulnerability in their upgrade descriptions. ZDI does report that they notified Trihedral of this vulnerability (ZDI-CAN-2599) on November 19th so this was a very quick response.
This advisory reports an XML external entity processing vulnerability in the Yokogawa FAST/TOOLS application. The vulnerability was reported by Timur Yunusov, Alexey Osipov, and Ilya Karpov of Positive Technologies Inc. ICS-CERT reports that Yokogawa has developed a service pack that mitigates this vulnerability, but no mention is made that the researchers have verified the efficacy of the fix.
ICS-CERT reports that it would be difficult to craft an exploit of this vulnerability and local access would be required. Yokogawa also reports (in their CVSS calculation) that local access is required, but note that it can be exploited by an attacker that “intrudes into the WebHMI server in any way”. Something may be lost in translation there because that sounds to me like remote access could be used to exploit this vulnerability.
I mentioned earlier that Yokogawa had publicly reported this vulnerability over a week and a half ago; not very timely reporting by ICS-CERT.