This afternoon the DHS ICS-CERT published an update for last week’s Advantech Advisory and four new advisories for products from Advantech, GE, CODESYS and Schneider.
This update announces that Advantech has a new version of WebAccess that mitigates the vulnerabilities identified in this advisory. There is no indication that the researcher who reported the vulnerabilities has been provided an opportunity to verify their efficacy.
Advantech describes this new version as a minor update that includes: “improved Dashboard, security enhancements, [emphasis added] enhanced stability of OPC tool, supports segmentation of BAC net driver transmission, improved stability of WASCADA for RTDB function and solves Dashboards memory leak issues”.
New Advantech Advisory
This advisory describes a stack-based buffer overflow vulnerability in Advantechs WebAccess application. The vulnerability was reported by Ivan Sanchez from Nullcode Team. Advantech has produced a new version (the same one referenced above) that mitigates the vulnerability and ICS-CERT reports that Sanchez has verified the efficacy of the fix.
ICS-CERT reports that a successful exploit of this vulnerability would require a social engineering attack, which by their definition means that the vulnerability could not be exploited remotely. It is interesting to note, however, that similar stack-based overflows were described in the previous advisory as remotely exploitable by a relative inexperienced operator.
Since neither this advisory nor last week’s identify the DLLs involved it is not possible to determine if the same DLLs are involved in the two advisories. It does appear, however, that this advisory may be the reason for the delay in publication of the new version that caused Praveen Darshanam to publicly release his proof-of-concept exploit code on the other vulnerabilities.
This advisory describes two vulnerabilities in the GE MDS PulseNET product line. The vulnerabilities were reported through the HP’s Zero Day Initiativ. GE has produced a new version of the software involved to mitigate these vulnerabilities. There is no indication that the original researcher has been provided the opportunity to verify the efficacy of the fix.
The two vulnerabilities are:
∙ Use of hard coded credentials, CVE-2015-6456; and
∙ Relative path traversal, CVE-2015-6459
ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to operate on the system with administrative access or read/delete arbitrary files on the system.
The GE Product Bulletin [.PDF Download] for this advisory identifies Andrea Micalizzi (rgod) as the researcher who reported the vulnerability.
This advisory describes a heap-based buffer overflow vulnerability in the CODESYS Gateway Server. The vulnerability was reported through the HP Zero Day Initiative by Josep Pi Rodriguez. 3S has produced a new version that mitigates this vulnerability, but there is no indication that Rodriguez was provided an opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to execute arbitrary code on the system.
This advisory describes a clear-text transmission vulnerability in the Schneider StruxureWare Building Expert product. The vulnerability was reported by Artyom Kurbatov. Schneider has produced a firmware patch that mitigates the vulnerability and Kurbatove has verified the efficacy of the fix.
ICS-CERT reports that a relatively low-skilled attacker could remotely exploit this vulnerability to obtain log-in credentials.