It was a busy day for ICS-CERT today with four new advisories, an almost three month old advisory being publicly published and one update of an advisory that was published yesterday. Did anyone mention that S4x15 started today?
GE DNP3 Advisory
Let’s get the old advisory out of the way first. This advisory was originally published back on October 14th on the US-CERT Secure Portal. It describes a Crain-Sistrunk improper input validation vulnerability in the DNP3 implementation used by GE iFix and Cimplicity products. The implementation was produced by Catapult Software who developed a patch that mitigates the vulnerability and GE has verified the efficacy of the patch. It does not appear that Crain-Sistrunk have verified the efficacy.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to effect a DOS attack.
According to the Project Robus web site it now looks like 29 of the 30 DNP3 vulnerabilities reported by Crain-Sistrunk have now been publicly disclosed by ICS-CERT.
NOTE: There is no reason given for the unusually long delay between the US-CERT publication and the ICS-CERT public notification.
GE Multilink Advisory
This advisory describes two vulnerabilities that effect the GE Multilink line of switches. The vulnerabilities were found by Eireann Leverett of IOActive in one of the Multilink switch lines and GE notified ICS-CERT that other lines were affected as well. A firmware upgrade is available.
The two reported vulnerabilities are:
● Resource consumption vulnerability - CVE-2014-5418; and
● Hard-coded key - CVE-2014-5419
ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to conduct a DOS attack or decrypt traffic. ICS-CERT reports that there is no public exploits for these specific vulnerabilities while GE restricts that claim specifically only to the ML800 switches.
Phoenix Contact Software Advisory
This advisory describes an authentication vulnerability in applications developed by Phoenix Contact Software. These applications are used by undisclosed vendors to run process control and manage IEC 61131 logic. The vulnerabilities were originally reported by Reid Wightman of Digital Bond. Phoenix Contact Software is considering developing a fix for these vulnerabilities.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to inject arbitrary commands into the protocol.
The end use product may or may not contain mitigation measures to protect against this vulnerability.
GOOD LUCK. Caveat emptor.
Clorius Controls Advisory
This advisory describes an insecure Java client web authentication vulnerability in the Clorius Controls A/S ISC SCADA server. The vulnerability was originally reported by Aditya Sood who has validated the efficacy of the update that has been made available.
ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to gain complete access to the server.
I noted the Siemens release of their advisory about this vulnerability this morning on Twitter and am now happy to report the ICS-CERT prompt release of their advisory. It describes three separate authentication vulnerabilities in the WinCC Sm@rtClient iOS Application. The vulnerabilities were originally reported by Kim Schlyter, Seyton Bradford, and Richard Warren from FortConsult. Siemens has produced an update to mitigate the vulnerability, but there is no report that the researchers have validated its efficacy.
The vulnerabilities include:
● Insufficiently protected credentials - CVE-2014-5231 and CVE-2014-5233; and
● Improper authentication - CVE-2014-5232
ICS-CERT reports that a relatively low skilled attacker with local access to the mobile device could exploit these vulnerabilities to gain access to the application and then presumably (my guess, not mentioned in the advisory) remotely access the control system with the full rights of the mobile device owner.
CodeWrights Advisory Update
Yesterday’s advisory was updated today to clarify that while ABB is a customer of CodeWrights HART DTM library that they have not yet verified that any of their systems are affected by the identified vulnerability. The update provides a link to the ABB security advisory page where ABB will make the notification if any systems are found to be vulnerable.
I think that it is probably safe to assume that ICS-CERT has not yet verified that any other of the potentially affected vendors listed actually have products with the vulnerabilities. They apparently made the somewhat reasonable assumption that if these vendors (including ABB) had bought the rights to use the vulnerable libraries that there products using those libraries would be affected.
I guess we will just have to wait and see. I know which way I would bet.