This afternoon the DHS ICS-CERT published two new advisories for industrial control system vulnerabilities in specific equipment from Scheneider and Emmerson.
This advisory describes a stack-based buffer overflow vulnerability in the Wonderware InTouch Access Anywhere Server product that was apparently self-identified. Schneider has a product security update that mitigates the vulnerability.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to execute arbitrary code. If Schneider has any additional information about this vulnerability they are restricting access to that information to just customer. Okay, I don’t really blame them, but it sure makes writing about the vulnerability difficult.
This advisory describes an improper input vulnerability in the CodeWrights HART Device Type Manager (DTM) library utilized in Emerson’s HART DTM reported by Alexander Bolshev in a coordinated disclosure. CodeWrights has produced a new library that Emmerson has verified mitigates the vulnerability. ICS-CERT and Emerson both claim that this vulnerability does not affect field devices or WirelessHART devices.
ICS-CERT reports that physical access to the Hart loop is required to exploit this vulnerability, but they also report that exploits are publicly available (See 2014 BlackHat presentation by Bolshev). This leads to the Emerson mitigation recommendation that, in addition to updating the HART DTM, Emerson recommends having physical protection of the end users’ entire infrastructure.
Emerson has a neat little side comment in their discussion about updating the HART DTM that apparently ICS-CERT overlooked. Emmerson reported that: “Note: This updated DTM will NOT fix other vendors DTMs affected by this issue.” One assumes that Emerson expects that other vendors are also using similar DTM libraries. That might have been something good for ICS-CERT to mention.