Yesterday the DHS ICS-CERT published four new control system security advisories for products from Rockwell, Trane, ABB and Yokogawa. The Rockwell advisory had previously been published on the US CERT Secure Portal back on August 11th.
This advisory describes a parser buffer overflow vulnerability in the Rockwell RSLogix 500 and RSLogix Micro products. The vulnerability was reported by Ariele Caltabiano (kimiya) via the Zero Day Initiative (ZDI). Rockwell has produced an update that mitigates the vulnerability but there is no indication that kimiya has been provided an opportunity to verify the efficacy of the fix.
ICS-CERT reports that it would be relatively easy to create an exploit that would allow malicious code to execute on the target computer at the same privilege level as the logged-in user. They also report that a social engineering attack would be required to cause an operator to load and execute the malformed RSS file.
This advisory describes an information exposure vulnerability in the Trane Tracer SC field panel. The vulnerability was reported by Maxim Rupp. Trane has produced an update to mitigate this vulnerability and ICS-CERT reports that Maxim Rupp has verified the efficacy of the fix.
ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to obtain sensitive information from the contents of configuration files not protected by the web server.
This advisory describes a credential management vulnerability in the ABB DataManagerPro application. The vulnerability was reported by Andrea Micalizzi via ZDI. ABB has produced a new version to mitigate the vulnerability, but there is no indication that Micalizzi has been afforded an opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively unskilled attacker with local system access could exploit the vulnerability to insert and run arbitrary code on a computer where the affected product is used. The ABB Security Advisory reports that an “attacker that manages to get malicious code to a specific directory in the file system of a computer where DataManagerPro is used, could get this code executed by an authenticated and legitimate user of DataManagerPro”.
This advisory describes an authentication bypass vulnerability in the Yokogawa STARDOM controller. This vulnerability is apparently being self-reported. Yokogawa has produced a new version that mitigates the vulnerability. The Yokogawa Security Advisory reports that the STARDOM controller does not require authentication to connect to the device.
ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to execute commands such as stop application program, change values, and modify application.
Cybersecurity for Building Control Systems
ICS-CERT reported that the National Institute of Building Sciences will be holding a series of workshops in Arlington, VA on cybersecurity for building control systems. The ICS-CERT announcement does not provide much in the way of support details (Date, location, cost, etc) but the provided web link to the NIBS workshop site does provide all of the necessary details.