This morning DHS ICS-CERT published five advisories for industrial control system vulnerabilities. The affected systems come from GE, Elipse, SCADA Engine, ABB, and CIMON.
This advisory describes a predictable TCP sequence vulnerability in GE Digital Energy’s Hydran M2 device. The vulnerability was reported by Raheem Beyah, David Formby, and San Shin Jung of Georgia Tech. GE has eliminated this vulnerability in versions of the product produced after October 2014. There is no indication that the researchers have verified that the vulnerability has been removed from newer versions of the device. This vulnerability was originally reported on the US-CERT Secure Portal on February 10th.
ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to send counterfeit packets as if they came from the device.
Since the vulnerable devices cannot be fixed they either have to be replaced or protected by other measures which would isolate them from the attack.
This advisory describes a process control vulnerability in the Elipse E3 application; the vulnerability is actually located in a third-party (Telerik) DLL. The vulnerability was reported by Ivan Sanchez from Nullcode Team. Elipse has produced a new version which mitigates the vulnerability. ICS-CERT reports that Sanchez has verified the efficacy of the fix.
ICS-CERT reports that the vulnerability could not be remotely exploitable but goes on to explain that a social engineering attack could cause an authorized operator to load a compromised DLL.
ICS-CERT reports that Telerik has notified its other affected customer of the problem with its DLLs and has provided them with updated version that do not include the vulnerability. Hopefully those other un-named vendors will notify their customers of the vulnerability.
SCADA Engine Advisory
This advisory describes three vulnerabilities in the SCADA Engine BACnet OPC Server. These vulnerabilities were reported by Josep Pi Rodriguez. SCADA Engine has produced a new software version that mitigates the vulnerabilities. ICS-CERT reports that Rodriquez has verified the efficacy of the fix.
The three vulnerabilities are:
● Heap-based buffer overflow - CVE-2015-0979;
● Input validation - CVE-2015-0980; and
● Authentication - CVE-2015-0981
ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to execute arbitrary code or modify the OPC Server database.
This advisory reports on the CodeWright HART DTM vulnerability in ABB products. The base information provided in this advisory is the same as that found in the latest version of the CodeWright advisory. ICS-CERT reports that ABB has begun to integrate the new CodeWright library but ABB reports that they have updated versions for the affected products which include the corrected CodeWright libraries.
This advisory describes a DLL hijacking vulnerability in the CIMON CmnView.exe application. The vulnerability was reported by Ivan Sanchez of Wise. CIMON has produced a patch that mitigates the vulnerability but there is no indication that Sanchez has verified the efficacy of the patch.
ICS-CERT reports that the vulnerability is remotely exploitable via a social engineering attack. No exploit is publicly available for this specific system but there are publicly available exploits for this ‘attack vector’.
Some people have asked me why I make a big deal out of announcing whether or not the researcher who discovered a vulnerability has verified the efficacy of the fix. After all, I am asked, isn’t it in the best interest of the vendor for the fix to work? Today a report from the Zero Day Initiative showed why it may be important for an outsider to verify fixes.
One of the key vulnerabilities exploited by Stuxnet was the now infamous Microsoft MS10-046 vulnerability. This vulnerability allowed systems to automatically run DLL files from USB devices without the operator initiating the action or even knowing that it took place. Microsoft patched that vulnerability four years ago. Earlier this year Michael Heerklotz reported that the patch did not work.
If Microsoft can convince themselves that a flawed patch mitigates a vulnerability then anyone can. A researcher that discovers a vulnerability looks at it in a different light than does a software engineer that is fixing it under a deadline. Two ways of looking at the problem may not actually be enough, but it is certainly better than just one way.
I’ll continue to be the gadfly that reports whether or not ICS-CERT is reporting that an outsider has verified the efficacy of the mitigation measure being reported.