This morning the DHS ICS-CERT published three advisories for control system vulnerabilities in systems from Everest Software, IBC Solar and Resource Data Management.
This advisory describes two pointer dereference vulnerabilities in the Everest Software LLC PeakHMI application. The vulnerabilities were reported by Josep Pi Rodriguez. Everest has produced a new version that mitigates the vulnerabilities, but there is no indication that Rodrigues has verified the efficacy of the fix. This advisory was released to the US CERT Secure portal on August 20th, 2015 and is probably one of the ones that I mentioned last week.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability.
ICS-CERT has two additional mitigation activities to recommend in addition to their standard recommendations for HMI systems. They are:
• Carefully monitor or block traffic to Port 49454.
• Disable the video server if it is not being used. This video server is only for remote HMI video support. (It is disabled by default on installation)
IBC Solar Advisory
This advisory describes three vulnerabilities in two different IBC Solar products. The vulnerabilities were reported by Maxim Rupp. ICS-CERT reports that IBC Solar has not mitigated these vulnerabilities
The three vulnerabilities are:
• Disclosure of source code, CVE-2015-6469;
• Plain text passwords, CVE-2015-6474; and
• Cross-site scripting, CVE-2015-6475
ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities.
For the first two vulnerabilities ICS-CERT suggests upgrading to a source that does not have these vulnerabilities. It sounds to me like they are recommending a new vendor, but they don’t come right out and say that (DHS lawyers will be happy). For the cross-site scripting vulnerability they recommend data validation and they also provide a link to an NSA fact sheet on XSS.
Resource Data Management Advisory
This advisory describes two vulnerabilities in the Resource Data Management Data Manager application. The vulnerabilities were reported by Maxim Rupp. Resource Data Management has produced a new version that mitigates the vulnerability, but there is no indication that Rupp has been given the opportunity to verify the efficacy of the fix.
The two vulnerabilities are:
• Privilege escalation, CVE-2015-6470; and
• Cross-site request forgery, CVE-2015-6468
ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities.