Wednesday, December 15, 2010

DHS ICS-CERT Issues Wonderware InBatch Advisory (Updated)

Some time last night the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) issued an advisory for a buffer-overflow vulnerability reported in the Wonderware InBatch Server and I/A Batch Server industrial control system products. The vulnerability affects all supported versions of these products. Invensys confirms the existence of this vulnerability that was posted on an un-named vulnerability disclosure site by an independent security researcher. According to the advisory Invensys is in the process of developing a patch to mitigate this vulnerability.

ICS-CERT notes that exploit code for this vulnerability has been published and expects that an attacker with a moderate skill level could remotely exploit this vulnerability. The buffer-overflow vulnerability could lead to a denial of service (DOS) or potentially allow an attacker to execute arbitrary code.

ICS-CERT recommends the following mitigation measures:

● “Install the patch when it is released. ICS-CERT will provide an update to this Advisory when a patch is released.
● “Minimize network exposure for all control system devices. Control system devices should not directly face the Internet. 2
● “Control system networks and devices should be located behind firewalls and isolated from the business network. Access to TCP Port 9001 should be restricted. If remote access is required, secure methods such as Virtual Private Networks (VPNs) should be utilized.
As always ICS-CERT provides their standard caveat about applying defensive measures; “ICS-CERT reminds organizations that proper impact analysis and risk assessment should be performed prior to taking defensive measures.”

The advisory notes that Invensys has a Cyber Security Updates site, but does not provide a link to that site. There is no mention that I could find of such a site on their publicly accessible web pages; if it exists it is behind the registered user barrier. [NOTE: I just got an email from CERT SOC, they provided the missing link; and noted that the Advisory will be corrected tomorrow. 8:49 pm EST]
ICS-CERT will update this advisory when a patch is released.

No comments:

/* Use this with templates/template-twocol.html */