This afternoon the DHS ICS-CERT updated three advisories for vulnerabilities in systems from Yokogawa, Emerson and Siemens. They also published a new Crain-Sistrunk advisory for a vulnerability in the DNP Master Driver from Elipse.
ICS-CERT reports that Yokogawa has provided software patches for the affected systems. There is also a change in the name of some of the affected systems, though the version numbers remain the same. Interestingly, Yokogawa has not updated their report on this vulnerability so we don’t know if they made their ‘end of September’ start date for issuing these patches.
BTW: Yokogawa has a new control system vulnerability report posted to their web site as of last Friday for their FAST/TOOLS software.
This update adds a new vulnerability to those listed on the original version. The new vulnerability is an authentication bypass by capture replay vulnerability that could allow for arbitrary code execution and is also remotely exploitable.
ICS-CERT also reports that in addition to the patch previously mentioned Emerson now also recommends deploying “the [Moxa] EDR-810 [secure router] between the host and the field device it is virtually impossible for an attacker to eavesdrop on communications or falsify commands”.
BTW: ICS-CERT is also careful the change the description of the four researchers that reported the vulnerability and verified the efficacy of the patch so that description now indicates that they are ‘formally of Cimation’; I think they may mean ‘formerly’.
I suspect that this update of last week’s advisory reporting that Siemens has added a new update for one of the previously un-mitigated applications. Unfortunately clicking on the provide link for this update returns a Chrome notice that “This webpage has a redirect loop” or an Internet Explorer notice that “This webpage cannot be displayed” as of 9:45 pm CST. In any case you can find the information on the Siemens ProductCERT advisory. This is the update that I tweeted about last Friday. NOTE: As of 1:00 pm CST 12-03-14 the Siemens advisory link is working.
This advisory describes a resource exhaustion vulnerability in the DNP Master Driver in various control system products from Elipse. The vulnerabity was reported by the venerable team (make them feel older than they actually are I will) of Crain-Sistrunk and their trusty Aegis fuzzer. By my count of their reporting (they aren’t keeping their public count too up to date, probably busy finding other vulnerabilities) this should be #27 of 30 DNP vulnerabilities that they have identified. ICS-CERT had previously released this to the US-CERT Secure Portal on October 30th (as I cryptically reported last month).
ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to cause short term (30 seconds in people time) system unavailability. ICS-CERT reports that Elipse has produced a new version of their DNP driver that mitigates this vulnerability but they do not mention if Crain-Sistrunk have verified the efficacy of that fix.