This afternoon the DHS ICS-CERT published two advisories for vulnerabilities in industrial control systems from Schneider Electric and Wind River.
This advisory describes a fixed search path vulnerability (Schneider calls it a binary planting vulnerability) in the Wonderware System Platform. The vulnerability was reported by Ivan Sanchez of WiseSecurity Team. Schneider has produced a patch to mitigate the vulnerability and according to ICS-CERT Sanchez has verified the efficacy of the fix.
ICS-CERT reports that this vulnerability would require a social engineering attack to get an authorized user to load a specially configured DLL file. A successful exploit would allow execution of arbitrary code.
Wind River Advisory
This advisory describes a TCP predictability vulnerability in the VxWorks operating system. The vulnerability was reported by Raheem Beyah, David Formby, and San Shin Jung of Georgia Tech. Wind River has produced patches for the vulnerability, but there is no indication that the Georgia Tech team has been given the opportunity to verify the efficacy of the fix.
ICS-CERT reports that VxWorks is used in a number of ICS devices from a number of vendors. The VxWorks web site notes that the operating system is used in drones, medical devices and consumer IOT devices in addition to the ICS devices. ICS-CERT has contacted a number of vendors about the vulnerability. To date only Schneider Electric has produced a firmware patch to fix the VxWare vulnerability in some of their SAGE RTUs. Additional updates to the advisory will be issued when additional vendor information becomes available.
ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability to spoof or disrupt TCP connections to the affected devices. The Schneider advisory [.PDF Download] for the Sage RTUs notes that a successful exploit could allow a man-in-the-middle attack.