Today the DHS ICS-CERT published two control system security advisories for products from Schneider and Moxa.
This advisory describes twin uncontrolled resource consumption vulnerabilities in the Schneider Electric Magelis human-machine interface (HMI) products. The vulnerabilities were reported in a coordinated disclosure by Eran Goldstein, in collaboration with Check Point Software Technologies and CRITIFENCE and publicly reported earlier this week. Schneider plans on having a new release available next spring, but is providing work arounds listed in this advisory.
While ICS-CERT calls both vulnerabilities ‘uncontrolled resource consumption vulnerabilities. CRITIFENCE uses more descriptive names:
• Improper implementation of HTTP get request – CVI-2016-8367; and
• Improper implementation of HTTP chunked Transfer-Encoding request - CVI-2016-8374.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to cause a denial of service for the affected devices. The Schneider security notification notes that the vulnerabilities can only be exploited when the Web Gate Server is activated; the function is disabled by default.
BTW: These are the Schneider vulnerabilities that I retweeted about earlier this week.
This advisory describes two vulnerabilities in the Moxa OnCell Security Software. The vulnerabilities were reported by Maxim Rupp (who at this point should be listed as a member of the Moxa cybersecurity team; just saying). Moxa has produced a new version (for two of the ten affected systems) that mitigates the vulnerability. There is no indication that Rupp was provided an opportunity to verify the efficacy of the fix.
The vulnerabilities include:
• Improper authentication - CVE-2016-8362; and
• Permissions, privileges and access control - CVE-2016-8363
ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to download files or execute arbitrary command by web console.