This morning the DHS ICS-CERT published an updated advisory for control system vulnerabilities reported in the Meteocontrol WEB'log. The Advisory was originally published last week and I reported on potential problems with the advisory yesterday. Additionally, the Karn Ganeshen memo to Full Disclosure on this topic is now available.
ICS-CERT made changes to two areas of the Advisory. First they added a new paragraph to the ‘Impact’ section of the advisory. That new paragraph reads:
“Successful exploitation of these vulnerabilities can allow silent execution of unauthorized actions on the device such as modifying plant data; modifying modbus/inverter/other devices; configuration parameters; and saving modified configuration and device reboot.”
ICS-CERT also made a number of changes to the vulnerability overview section of the advisory. They changed the title and description of the first two vulnerabilities and added a third new vulnerability.
The ‘Information Exposure’ vulnerability (CVE-2016-2296) was changed to ‘Improper Access Control’ with this new description:
“All application functionality, and configuration pages, including those accessible after administrative login, can be accessed without any authentication.”
The ‘No Authentication’ vulnerability (CVE-2016-2297) was changed to ‘Command Shell Accessible’ with this new description:
“The application has a hidden/obscured access command shell-like feature that allows anyone to run a restricted set of system commands. This shell can be accessed directly without any authentication.”
Finally, ICS-CERT added a Cross-Site Request Forgery vulnerability (CVE-2016-4504).
Full Disclosure Memo
I mentioned yesterday that Karn Ganeshen had reportedly sent a memo to the Full Disclosure list explaining the deficiencies in the original Meteocontrol Advisory. Today that memo has been published on the site. In that memo, Karn has provided sample URLs that would allow access to the information on WEB’log devices without authentication.
I’m not sure if this information rises to the level of ‘exploit code’ since some additional work (I think) would have to be done to get these sample URL’s to work. In any case ICS-CERT continues in this version of the Advisory to report that: “No known public exploits specifically target these vulnerabilities.” Then again, they may not have known about the existence of this Full Disclosure memo when they revised the Advisory.