Yesterday the DHS ICS-CERT published an update for a
year-old OleumTech advisory and two new advisories for systems from Emmerson
and Schneider.
OleumTech Update
This update
effectively closes out the mitigation side of a very peculiar advisory issued
last year. In that original advisory ICS-CERT published their document without
any apparent agreement from OleumTech that vulnerabilities actually existed.
This update takes out two very interesting sentences from the original now that
OleumTech has published updates that resolve the vulnerabilities. Those
sentences stated:
“The researchers have coordinated
the vulnerability details with NCCIC/ICS-CERT and OleumTech in hopes the vendor
woulddevelop security patches to resolve these vulnerabilities. While ICS-CERT
has had many discussions with both OleumTech and IOActive this past year, there
has not been consensus on vulnerability details and positive product
developments to resolve identified vulnerabilities.”
In discussing the now available updates for the systems
ICS-CERT also removes the following description of the original OleumTech
response:
“The vendor and IOActive researcher
team do not completely agree with ICS-CERT about the severity and validity of
these vulnerabilities. The vendor has stated they do not plan to resolve
vulnerabilities they consider not valid.”
I suspect that OleumTech made some changes in their system
unrelated to the reported vulnerabilities and realized that they could be considered
to be mitigation measures and reported that to ICS-CERT. There is no indication
that the original researchers have been given the chance to verify the efficacy
of the fixes. In any case it looks like it took two years to fix the
vulnerabilities.
Emmerson Advisory
This advisory
describes an SQL injection vulnerability in the Emerson AMS Device Manager
Application. This vulnerability was apparently self-reported and Emerson has
developed a patch for newer versions of the system and a configuration fix for
older versions.
ICS-CERT reports that a moderately skilled attacker could
exploit this vulnerability to gain privilege escalation on the device manager,
but not to the underlying computer system.
This advisory was originally released on the US CERT Secure
Portal on April 21st. It seems odd to me that a vulnerability that
requires local access to exploit would get released on the Secure Portal for a
month before public release when many more serious and remotely exploitable
vulnerabilities get public release immediately.
Schneider Advisory
This advisory
describes a DLL hijacking vulnerability in the Schneider OPC Factory Server
(OFS) application. The vulnerability was originally reported by Ivan Sanchez
from Nullcode Team. Schneider has produced a patch that mitigates the
vulnerability and Sanchez has been given the opportunity to verify the efficacy
of the fix.
ICS-CERT reports that a social engineering attack is required
to exploit this vulnerability. A successful exploit could cause a server crash
or allow execution of arbitrary code. The Schneider
advisory (.PDF Download) does not mention the possibility of code
execution.
Posts
No comments:
Post a Comment