This afternoon the DHS ICS-CERT published an OIsoft advisory for 56 vulnerabilities in one product and alerts on two different Rockwell products. ICS-CERT did not name researchers on Rockwell alerts so we cannot tell if these are DefCon related. The OIsoft vulnerabilities are all self-reported.
This advisory almost describes the most serious of 56 vulnerabilities in the OSIsoft PI System software. The categories are listed for the top 25 vulnerabilities based upon risk; they are:
∙ CWE-20: Improper Input Validation (6 issues),
∙ CWE-250: Execution with Unnecessary Privileges (3 issues),
∙ CWE-200: Information Exposure (1 issue),
∙ CWE-476: NULL Pointer Dereference / Denial of Service (13 issues), and
∙ CWE-384: Session Management (2 issues).
OSIsoft has produced a new version of Data Archive that mitigates these vulnerabilities.
Rockwell Alert 1
This alert describes a cross-site scripting vulnerability in Rockwell Automation’s 1769-L18ER/A LOGIX5318ER web interface. A proof-of-concept exploit has been publicly released. ICS-CERT is coordinating with Rockwell.
Rockwell Alert 2
This alert describes a remote file inclusion vulnerability in Rockwell Automation’s 1766-L32BWAA/1766-L32BXBA web interfaces. A proof-of-concept exploit has been publicly released. ICS-CERT is coordinating with Rockwell.
How long has OSIsoft known about some of these vulnerabilities. Probably a relatively long time. Luckily for them (we hope) no researcher found these vulnerabilities first. Just think of how many BH/DC presentations were missed because no one was looking.
Rhetorical question to think about: Was OSIsoft marketing behind the notification of ICS-CERT about these vulnerabilities? Great way to get folks to upgrade but might warn off new customers. I guess it could go either way.
Yesterday’s alerts clearly identified researcher who notified ICS-CERT days before public release. Today’s alert without apparent ICS-CERT notification did not get attribution. Is that the way ICS-CERT plans on handling this touchy issue in the future? If so, researchers take note. Drop ICS-CERT a line just before you go public.