Yesterday the DHS ICS-CERT published an update for a year-old OleumTech advisory and two new advisories for systems from Emmerson and Schneider.
This update effectively closes out the mitigation side of a very peculiar advisory issued last year. In that original advisory ICS-CERT published their document without any apparent agreement from OleumTech that vulnerabilities actually existed. This update takes out two very interesting sentences from the original now that OleumTech has published updates that resolve the vulnerabilities. Those sentences stated:
“The researchers have coordinated the vulnerability details with NCCIC/ICS-CERT and OleumTech in hopes the vendor woulddevelop security patches to resolve these vulnerabilities. While ICS-CERT has had many discussions with both OleumTech and IOActive this past year, there has not been consensus on vulnerability details and positive product developments to resolve identified vulnerabilities.”
In discussing the now available updates for the systems ICS-CERT also removes the following description of the original OleumTech response:
“The vendor and IOActive researcher team do not completely agree with ICS-CERT about the severity and validity of these vulnerabilities. The vendor has stated they do not plan to resolve vulnerabilities they consider not valid.”
I suspect that OleumTech made some changes in their system unrelated to the reported vulnerabilities and realized that they could be considered to be mitigation measures and reported that to ICS-CERT. There is no indication that the original researchers have been given the chance to verify the efficacy of the fixes. In any case it looks like it took two years to fix the vulnerabilities.
This advisory describes an SQL injection vulnerability in the Emerson AMS Device Manager Application. This vulnerability was apparently self-reported and Emerson has developed a patch for newer versions of the system and a configuration fix for older versions.
ICS-CERT reports that a moderately skilled attacker could exploit this vulnerability to gain privilege escalation on the device manager, but not to the underlying computer system.
This advisory was originally released on the US CERT Secure Portal on April 21st. It seems odd to me that a vulnerability that requires local access to exploit would get released on the Secure Portal for a month before public release when many more serious and remotely exploitable vulnerabilities get public release immediately.
This advisory describes a DLL hijacking vulnerability in the Schneider OPC Factory Server (OFS) application. The vulnerability was originally reported by Ivan Sanchez from Nullcode Team. Schneider has produced a patch that mitigates the vulnerability and Sanchez has been given the opportunity to verify the efficacy of the fix.
ICS-CERT reports that a social engineering attack is required to exploit this vulnerability. A successful exploit could cause a server crash or allow execution of arbitrary code. The Schneider advisory (.PDF Download) does not mention the possibility of code execution.