This afternoon the DHS ICS-CERT published a new control system security for a Rexroth Bosch product and updated an advisory for a Siemens product.
Rexroth Bosch Advisory
This advisory describes two vulnerabilities in the Rexroth Bosch BLADEcontrol-WebVIS. The vulnerabilities were reported by Maxim Rupp. Rexroth Bosch has produced a new version. There is no indication that Rupp was provided an opportunity to verify the efficacy of the fix.
The reported vulnerabilities are:
• SQL injection - CVE-2016-4507; and
• Cross-site scripting - CVE-2016-4508
ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to compromise of the database server or lead to remote code execution.
This update provides new information on a Siemens Advisory that was reported by ICS-CERT on May 19th, 2016 for the Siemens SIPROTEC 4 and SIPROTEC Compact. The update removes a previously reported version of SIPROTEC Compact (7SK80) from the advisory. It also adds update information for another version of SIPROTEC Compact.
ICS Ransomware Issue
As I mentioned on TWITTER on Saturday there is an interesting article over on ISSSource.com about a report from Rockwell Automation about a ransomware attack from a file being made available on the internet (no source given) called ‘Allenbradleyupdate.zip’. Apparently this file is not on the Rockwell web site and there is no information about any kind of social engineering attack associated with the file.
A copy of the Industrial Security Advisory from Rockwell is available here. It is presumably available on the Rockwell Automation web site, but access to that site is restricted to customers and Rockwell employees, so I cannot verify that.
Rockwell learned about the file from the Electricity Information Sharing and Analysis Center (E-ISAC). This is a good example of how information sharing should work to get information back to responsible folks to evaluate and spread the word. Unfortunately, it appears that the attempt by Rockwell to share this information via ICS-CERT was rebuffed.
While no one would like to think that any responsible control system engineer would apply an update to an industrial control system that was obtained from anywhere but from a vendor web site, I think that we have to admit that with a properly crafted social engineering attack it is almost inevitable that someone would load this ransomware masquerading as and ICS update. Spreading the word about this as widely as possible would certainly be in the best interest of everyone (except the ransomware author, of course). It is inconceivable to me that ICS-CERT would not use its information sharing capabilities to spread the word.
It is just a matter of time before a ransomware attack like this finds its way onto a hacked vendor or integrator web site. This is a good time to begin a discussion about what vendors are doing to prevent such site hacks and how vendors and users can ensure that only legitimate system updates are applied to live systems. This is another good reason to first apply updates to test systems before they are applied to real control systems.