Yesterday the DHS ICS-CERT published two ‘new’ advisories that had been previously published on the US-CERT Secure Portal; one for a GE application and one for an application from Arbiter Systems.
This advisory describes a memory access violation vulnerability in the GE CIMPLICITY CimView application. The vulnerability was reported by Said Arfi. GE has produced an update that mitigates the vulnerability but there is no report of Arfi verifying the efficacy of the update.
ICS-CERT reports that a moderately skilled attacker could exploit this vulnerability to execute arbitrary code. While the advisory states that this vulnerability could not be remotely exploited, it does note that user interaction is required to exploit. That would seem to mean that a specially crafted social engineering attack could cause a local user to upload the .CIM file needed to exploit this vulnerability.
This is the second GE advisory this week that has been withheld from public view for almost 90 days after it was released on the US-CERT Secure Portal. It is hard to understand why it would take that length of time for GE systems owners to mitigate this vulnerability, especially since the vulnerability is not supposed to be remotely exploitable.
Arbiter Systems Advisory
This advisory describes a GPS clock spoofing vulnerability. This vulnerability was apparently self-reported. Arbiter Systems has developed a new product that does not have the reported vulnerability.
ICS-CERT reports that while the vulnerability is remotely exploitable the vendor believes that it would be difficult to craft a workable exploit. They are so sure of this, in fact, that Arbiter Systems still intends to sell the vulnerable system. ICS-CERT does explain that a successful exploit could disrupt the clock.
What is not explained in the advisory is that disrupting a clock in a SCADA system will interfere with the coordination of the actions of physically separated components of that system. The potential effects would be determined by what controls were mis-coordinated.