ICS-CERT Publishes 3 Advisories and an Update

Today the DHS ICS-CERT published three new advisories for control systems from Hospira, Ecava and Inductive Automation and an update for a recently released advisory for Schneider Electric.

Schneider Update

This update is for the Schneider advisory released last week for the InduSoft WebStudio and InTouch Machine applications. The update provides a link to additional information about the vulnerabilities, but it is only available to registered Wonderware customers, external partners or distributors.

Hospira Advisory

This advisory describes multiple vulnerabilities in the Hospira MedNet server software. The vulnerabilities were reported by Billy Rios. Hospira has produced a new version of the software and provided additional mitigation measures, but there is no indication that Billy has been given the opportunity to verify the efficacy of the fix.

The four vulnerabilities are:

∙ Password in configuration file - CVE-2014-5400;

∙ Improper control of generation code - CVE-2014-5401;

∙ Hard-coded cryptographic key - CVE-2014-5403; and

∙ Hard-coded password - CVE-2014-5405

ICS-CERT reports that a relatively low skilled attacker could remotely exploit three of the vulnerabilities; the pass in configuration file vulnerability is locally exploitable.

ICS-CERT explains that the new version of the MedNet server software addresses three of the vulnerabilities. The fourth vulnerability (improper control of generation of code) is found in “the vulnerable version of JBoss Enterprise Application Platform [link added] software, used in the MedNet software”. There is no indication which version of the EAP software is involved. MedNet has issued two reports (Improving Security in Hospira MedNet 5.5 and 5.8) discussing mitigation methods for this vulnerability. They are reportedly available from MedNet technical support.

NOTE: It goes without saying that vendors that use JBoss EAP should contact RedHat for details about this vulnerability. It will be interesting to see how long it is before this shows up in other ICS application advisories.

Ecava Advisory

This advisory describes a DLL loading vulnerability on the Ecava  IntegraXor SCADA Server. The vulnerability was reported by Praveen Darshanam. Ecava has produced a patch that mitigates the vulnerability and Darshanam has verified the efficacy of the patch.

ICS-CERT reports that a social engineering attack is required to get an authorized user to load a compromised DLL. A successful attack could result in the ability to run malicious code at the authorization level of the DLL.

Inductive Automation Advisory

This advisory describes multiple vulnerabilities in the Inductive Automation Ignition software (HMI/SCADA). The vulnerabilities were reported by Evgeny Druzhinin, Alexey Osipov, Ilya Karpov, and Gleb Gritsai of Positive Technologies. Inductive Automation has produced a patch that mitigates the vulnerability but there is no indication that the researchers have been given an opportunity to verify the efficacy of the fix.

The six vulnerabilities are:

∙ Cross-site scripting - CVE-2015-0976;

∙ Information exposure through error message - CVE-2015-0991;

∙ Insecure storage of sensitive information - CVE-2015-0992;

∙ Insufficient session expiration - CVE-2015-0993;

∙ Credentials management - CVE-2015-0994; and

∙ Use of password hash with insufficient computational effort - CVE-2015-0995

ICS-CERT explains that a relatively low skilled attacker can only locally exploit these vulnerabilities, though they earlier report that the vulnerabilities are remotely exploitable (which sounds more reasonable). The advisory does not describe potential consequences, but it would seem that a successful exploit should allow running of arbitrary code.