ICS-CERT Publishes Two Advisories

Today the DHS ICS-CERT published two control system security advisories for products from Schneider Electric and Mitsubishi Electric.

Schneider Advisory

This advisory describes multiple (365 Java Runtime Environment - JRE) vulnerabilities in the Schneider Trio TView Management Suite. The vulnerabilities were reported by Karn Ganeshen. Schneider has produced a new version that uses a newer version of JRE that does not have the reported vulnerabilities. There is no indication that Ganeshen has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT does not try to list each of the previous reported vulnerabilities in JRE 1.6.0 update 27 (the Schneider security notice does by CVE). Instead ICS-CERT provides the following statistical evaluation:

• 180 vulnerabilities were identified as having a CVSS base score of 7.0-10;

• 161 vulnerabilities were identified as having a CVSS base score of 4.0-6.9; and

• 24 vulnerabilities were identified as having a CVSS base score of 0.0-3.9.

ICS-CERT generously reports that a relatively low skilled attacker could remotely use publicly available exploits  to compromise the Trio TView Management Suite.

NOTE: It is easy to criticize Schneider for not using updated versions of JRE (as they were issued) to update TView or at least use the latest version when TView was periodically updated. But, failing to do so made their job easier by not having to check that updated versions were forward compatible with the changes being made in TView. The big question, of course, is what other software, tools and libraries did Schneider also fail to update in this and other products.

Mitsubishi Advisory

This advisory describes multiple (NOT nearly as many as above – grin) vulnerabilities in the Mitsubishi E-Designer (HMI design software). The vulnerabilities were reported by Andrea “rgod” Micalizzi. This product is no longer supported by Mitsubishi. They recommend replacing HMIs designed with E-Designer with ones designed with new Mitsubishi GT Works.

The reported vulnerabilities are:

• Stack-based buffer overflow (6) - CVE-2017-9638;

• Heap-based buffer overflow (5) - CVE-2017-9636; and

• Out of bounds write (2) - CVE-2017-9634

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerabilities to corrupt sensitive information, crash the system, conduct a denial of service attack, and execute arbitrary code.

NOTE: It appears that E-Designer was written by Beijer Electronics. Their web site claims that E-Designer is nearly identical to their Information Designer, which is used to program the EXTER HMIs. It would be reasonable to assume that at least some of these vulnerabilities might be found by an enterprising researcher in those Beijer products.