ICS-CERT Publishes Three Advisories

This afternoon the DHS ICS-CERT published three new control system security advisories for systems from Rockwell, Infinite, and Siemens.

Rockwell Advisory

This advisory describes multiple vulnerabilities in the Rockwell Allen-Bradley MicroLogix 1100 and 1400 programmable logic controller (PLC) systems. The vulnerabilities were reported by Ilya Karpov of Positive Technologies, Nir Giller of CyberX, and independent researcher Aditya Sood. Rockwell has produced firmware updates for most of the vulnerabilities with one fix still in the works. There is no indication that any of the researchers were provided the opportunity to verify any of the fixes.

The vulnerabilities include:

• Stack based buffer overflow - CVE-2015-6490 (remains to be fixed in 1400);

• Improper restriction of operations within the bounds of a memory buffer - CVE-2015-6492;

• Unrestricted upload of a file with dangerous type - CVE-2015-6491;

• Cross-site scripting - CVE-2015-6488; and

• SQL injection - CVE-2015-6486.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities.

Slightly interesting that three separate researchers independently identified these vulnerabilities. Some element of chance involved, but I bet lots of people look at Rockwell PLCs.

Infinite Advisory  

This advisory describes multiple vulnerabilities in the Infinite Automation Systems Mango Automation application. The vulnerabilities were reported by Steven Seeley of Source Incite and Gjoko Krstic of Zero Science Lab. Infinite Automation Systems has produced a new version to mitigate vulnerabilities and researchers have validated the efficacy of the fix.

The vulnerabilities include:

• Unrestricted upload of file with dangerous type - CVE-2015-7904;

• OS command injection - CVE-2015-7901;

• Information exposure through debug information - CVE-2015-7900;

• SQL injection - CVE-2015-7903;

• Cross-site request forgery - CVE-2015-6493;

• Cross-site scripting - CVE-2015-6494; and

• Response discrepancy information exposure - CVE-2015-7902.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities.

Another large multiple vulnerability disclosure with multiple independent discoveries. This is getting to be a trend.

Siemens Advisory

This advisory describes a single vulnerability caused by an IEEE conformance issue involving improper frame padding in Siemens RuggedCom. The vulnerability was initially reported by David Formby and Raheem Beyah of Georgia Tech. Siemens has developed a new software version that mitigates the vulnerability and the researchers have validated the fix.

ICS-CERT reports that a relatively unskilled attacker on the network might be able to read a limited amount of unintended data within the packet. The Siemens notice explains that that data could come from previous network traffic of other VLANs.

NOTE: This vulnerability was reported by Siemens last week.