Wednesday, September 22, 2010

ICS-CERT Advisory – BACnet OPC Client

Last Friday I did a quick post about a control system vulnerability alert sent out by DHS ICS-CERT. Today the ICS-CERT folks have posted an ‘Advisory’ on the same vulnerability with additional information including mitigation measures to take to deal with the vulnerability in the SCADA Engine® BACnet OPC Client.

The Vulnerability

As I noted in the earlier blog the BACnet OPC Client allows communications between a workstation and the BACnet OPC server, which in turn allows for control of a number of building environmental, safety, and security controls. A successful exploitation of the vulnerability (a stack-based buffer overflow in SCADA Engine’s BACnet OPC Client; for those with more of a technical background than I have) “results in arbitrary code execution potentially leading to a system compromise” (pg 2).

I was kind of confused when the alert came out last Friday because it noted that ICS-CERT was in the process of contacting the vendor. The ICS-CERT vulnerability disclosure policy typically involves contacting the vendor and allowing a reasonable time to get mitigation measures developed before publicly announcing a vulnerability. The wording of the Alert did not seem to indicate that this was being done.

The reason for that deviation from policy is now apparent. There was an exploit code published on this vulnerability so anyone using this software was potentially at a real risk of attack. Typically security researchers don’t publish an exploit code without allowing the vendor to develop their mitigation efforts. The reason that Jeremy Brown (the researcher who discovered this vulnerability) did not wait is clear from the introduction to the exploit code; he maintains that SCADA Engine blew him off when he contacted them about the vulnerability.

The Mitigation

The vulnerability was discovered in version 1.0.24. A later version (1.0.025) has the vulnerability corrected. The new version is supposed to be downloadable from the SCADA Engine web site, but today the URL simply returns an “Internet Explorer cannot display the webpage” error message. They did work last Friday when I was preparing the earlier blog posting; probably too much traffic to the site.

As is usual with any mitigation measure for a control system that requires updating the software, ICS-CERT provides the following caution statement (pg 3):

“ICS-CERT reminds organizations that proper impact analysis and risk assessment should be performed prior to taking defensive measures.”

No comments:

/* Use this with templates/template-twocol.html */