This afternoon the DHS ICS-CERT published an OIsoft advisory
for 56 vulnerabilities in one product and alerts on two different Rockwell
products. ICS-CERT did not name researchers on Rockwell alerts so we cannot
tell if these are DefCon related. The OIsoft vulnerabilities are all
self-reported.
OSIsoft Advisory
This advisory almost
describes the most serious of 56 vulnerabilities in the OSIsoft PI System
software. The categories are listed for the top 25 vulnerabilities based upon
risk; they are:
∙ CWE-20:
Improper Input Validation (6 issues),
∙ CWE-250:
Execution with Unnecessary Privileges (3 issues),
∙ CWE-200:
Information Exposure (1 issue),
∙ CWE-476:
NULL Pointer Dereference / Denial of Service (13 issues), and
∙ CWE-384: Session
Management (2 issues).
OSIsoft has produced a new version of Data Archive that
mitigates these vulnerabilities.
Rockwell Alert 1
This alert
describes a cross-site scripting vulnerability in Rockwell Automation’s 1769-L18ER/A
LOGIX5318ER web interface. A proof-of-concept exploit has been publicly
released. ICS-CERT is coordinating with Rockwell.
Rockwell Alert 2
This alert
describes a remote file inclusion vulnerability in Rockwell Automation’s
1766-L32BWAA/1766-L32BXBA web interfaces. A proof-of-concept exploit has been
publicly released. ICS-CERT is coordinating with Rockwell.
Commentary
How long has OSIsoft known about some of these vulnerabilities.
Probably a relatively long time. Luckily for them (we hope) no researcher found
these vulnerabilities first. Just think of how many BH/DC presentations were
missed because no one was looking.
Rhetorical question to think about: Was OSIsoft marketing
behind the notification of ICS-CERT about these vulnerabilities? Great way to
get folks to upgrade but might warn off new customers. I guess it could go
either way.
Yesterday’s alerts clearly identified researcher who
notified ICS-CERT days before public release. Today’s alert without apparent
ICS-CERT notification did not get attribution. Is that the way ICS-CERT plans
on handling this touchy issue in the future? If so, researchers take note. Drop
ICS-CERT a line just before you go public.
Posts
No comments:
Post a Comment