Today the DHS ICS-CERT published two control system security advisories for products from Moxa and WECON. They also published the latest edition of the ICS-CERT Monitor.
This advisory describes an authorization bypass advisory in the Moxa Device Server Web Console. The vulnerability was reported by Maxim Rupp. Support for the device ended in 2012, but Moxa has provided recommendations to mitigate this vulnerability. There is no indication that Rupp has been provided an opportunity to verify the efficacy fix.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to gain access to change settings and data on the target device.
Moxa suggests disabling two ports and restricting access to three others. They note that such restrictions could impact remote systems administration.
This advisory describes two buffer overflow vulnerabilities in the WECON LeviStudio software. The vulnerabilities were reported by Rocco Calvi and Brian Gorenc via the Zero Day Initiative. WECON has not (and apparently does not plan to) released a product fix to address these vulnerabilities; CAVEAT EMPTOR.
The two vulnerabilities are:
• Heap-based buffer overflow - CVE-2016-4533; and
• Stack-based buffer overflow - CVE-2016-5781
ICS-CERT has a new take on social engineering attacks, and I quote:
“An attacker with low skill would be able to exploit these vulnerabilities. Crafting a working exploit for these vulnerabilities would not be difficult; however, social engineering is required to convince the user to accept the malformed file or visit a malicious web site. This decreases the likelihood of a successful exploit.”
May-June 2016 Monitor
The Monitor covers ICS-CERT operations during May and June of this year. The lead-off article on a specific incident takes an oblique look at the use of SHODAN for identifying control system components facing the internet. Beyond pointing out that some sort of internet facing device (presumably a control system component?) was identified by ICS-CERT via SHODAN, the only information of note is that devices identified with an ISP IP address cannot be directly identified by ICS-CERT. They have to forward notification to the owner via the ISP. Good to know that ISPs are protecting our privacy (at least in this instance).
We also see four pieces about ICSJWG meetings. The first is a recap of an ICS-CERT presentation at the Spring meeting about “Viewing Your Network through the Eyes of an Attacker”. There is also a listing of the other ICS-CERT presentations at that meeting. Then there is a brief preview of the Fall Meeting. The final item is a lengthy item about the Advanced Analytical Lab’s presentation at the Spring Meeting.
This issue contains a little bit more information about the system assessments that ICS-CERT does. It contains a brief article outlining the top six weaknesses that ICS-CERT identified in their assessments in 2015. Those weaknesses are:
(1) Boundary protection;
(2) Least functionality;
(3) Authenticator management;
(4) Identification and authentication;
(5) Least privilege; and
(6) Allocation of resources
There are also two brief pieces on Protected Critical Infrastructure Information (PCII). The first is a short article on what facilities need to do to claim PCII protections for information that they submit to ICS-CERT. While the overview is pretty good, there is a lack of detail on what exactly must be in the Express Statement and in the Certification Statement. Those details are available on the PCI web site.
On the whole, this issue of the Monitor is well worth reading.