Today the DHS ICS-CERT published two new advisories and updated a two week old advisory. The new advisories addressed vulnerabilities in control system applications from Schnedier and Magnetrol. The update was for the CodeWrights advisory.
This update provides a slight expansion of the scope of the vulnerability. It explains that “the exploit is possible from any adjacent network between the FDT/DTM frame application and the HART transmitter on the 4 mA to 20 mA current loop”. The previous version noted only that access “to the 4 mA to 20 mA HART current loop is required to exploit this vulnerability”.
This slightly weakens the claim that crafting “a working exploit for this vulnerability would be difficult”.
This advisory describes a stack-based buffer overflow vulnerability in a number of Schneider products. The original discover by Ariele Caltabiano (kimiya) with HP’s Zero Day Initiative (ZDI) dealt with the vulnerability in the SoMove Lite software package. Schneider subsequently discovered the same vulnerability in a number of device type managers (DTM) containing the same DLL. Schneider has produced a patch that mitigates the vulnerability, but there is no mention if kimiya has been given the opportunity to validate the effectiveness of the patch.
ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to execute arbitrary code on the affected systems. Schneider reports that the patch will replace the vulnerable FTD1 DLL.
This advisory is kind of a waste of time. It describes the same CodeWrights vulnerability described in the advisory that was updated today. In fact, Magnetrol is one of the companies listed in the CodeWrights advisory as potentially having vulnerable HART DTM library is some of their products. The whole point of the CodeWrights advisory was that ICS-CERT could update that advisory when some vendor announced their implementation of a fix for the vulnerability in their equipment.
Oh well, Magnetrol has integrated the CodeWrights update and issued revised HART DTM library extensions.
I owe ICS-CERT a major public apology. The ‘missing’ Siemens vulnerability report deals with the NTP issue not the CodeWrights Vulnerability.