Today the DHS ICS-CERT published two control system security advisories for products from Rockwell Automation; both had previously been published on the limited access NCCIC Portal on January 16th, 2017. They also published their annual report on ICS-CERT activities for 2016.
Factory Talk Advisory
This advisory describes an unquoted search path or element vulnerability in the Rockwell Factory Talk Services Platform. This is a self-reported vulnerability. Rockwell has produced a new version that mitigates the vulnerability.
ICS-CERT reports that an authenticated, but nonprivileged, local user could exploit this vulnerability to link to or run a malicious executable.
Connected Components Workbench Advisory
This advisory describes a DLL hijack vulnerability in the Rockwell Connected Components Workbench. The vulnerability was reported by Ivan Sanchez. Rockwell has produced a new version that mitigates the vulnerability. There is no indication that Sanchez has been provided an opportunity to verify the efficacy of the fix.
ICS-CERT makes no mention of the exploitability of this vulnerability, but do note that a successful exploit could result in effects ranging from a denial of service (DoS) to the injection of malicious code into trusted processes, depending on the content of the DLL and the risk mitigations in place by the victim.
2016 Year in Review
The annual report is much the same as we saw last year in the 2015 report; it is essentially the same as a annual report that one might expect to find sent out to existing and prospective stock holders of a fortune 500 company. There are lots of numbers, pretty pictures and written fluff that provides little or no new information that can really be used by anyone in the control system security field.
For example, on page 8 there is a brief discussion of incident response activities in FY 2016. After detailing that ICS-CERT responded to 290 incidents, they toss off the comment that: “Also in FY 2016, the team responded to the first known cyberattack to result in physical impact to a power grid.” No additional information was provided, but I suspect that this was the December 2015 attack on the grid in Georgia, not a US grid attack. But you cannot tell that from this report.