Tuesday, January 18, 2011

DHS ICS-CERT Issues Two Advisories

Yesterday the DHS Industrial Control System Cyber Emergency Response Team issued two advisories for different industrial control systems. The first updated a previously issued alert for the WellinTech KingView system. The second outlined a vulnerability in the Sielco Sistemi Winlog.

KingView Update

Last week I reported on the ICS-CERT Alert that had been issued on a reported heap overflow vulnerability in the WellinTech KingView system. At that time ICS-CERT didn’t have much more information than a published report of the vulnerability with exploit code. Since then ThreatPost.com reported on the communications problems that resulted in the lack of response to the security researcher’s reports to CN-CERT that ultimately led to the publication of the exploit code.

Yesterday’s advisory provided more information on the details of the vulnerability along with the mitigation recommendations that include a patch provided by WellinTech. The vulnerability could allow an attacker to crash the system via a heap overflow in the HistorySrv process. Even with the publicly available exploit code, ICS-CERT estimates that it would take an attacker with at least an intermediate skill level to exploit this vulnerability.

DHS ICS-CERT recommends the following mitigation measures be considered after conducting an impact assessment on the system:

• Implement network or host-based firewall rules to limit network access to Port 777/TCP.

• Upgrade to the latest Version 6.53(2010-12-15) and install the patch. Users can download the patch at: http://en.wellintech.com/products/detail.aspx?contentid=25

• Minimize network exposure for all control system devices. Control system devices should not directly face the Internet.1

• Control system networks and devices should be located behind firewalls, and be isolated from the business network. If remote access is required, secure methods such as Virtual Private Networks (VPNs) should be used.
Sielco Sistemi Winlog Vulnerability

The second advisory issued by ICS-CERT deals with a newly reported vulnerability in the WinLog Lite and WinLog Pro HMI software produced by Sielco Sistemi. The vulnerability is found in all versions through 2.07.00. The vulnerability could allow a remote attacker to initiate a stack overflow, potentially resulting in the attacker being able to remotely execute arbitrary code. Even though exploit code is publicly available, ICS-CERT estimates that it would take a skill high-level to exploit this vulnerability.

DHS ICS-CERT recommends the following mitigation measures be considered after conducting an impact assessment on the system:

• Update Winlog Lite and WinLog Pro to the latest Version (2.07.01).
www.sielcosistemi.com/download/WinlogLite_Setup.exe
www.sielcosistemi.com/download/Winlog_Setup_SF.exe
For additional information, customers can contact Sielco Sistemi’s support at:
http://www.sielcosistemi.com/en/support/

• Minimize network exposure for all control system devices. Critical devices should not directly face the Internet. Control system networks and remote devices should be located behind firewalls and be isolated from the business network. If remote access is required, secure methods such as Virtual Private Networks (VPNs) should be used.

1 comment:

Anonymous said...

"The vulnerability could allow an attacker to crash the system via a heap overflow in the HistorySrv process."

An exploit that executes arbitrary code on the HistorySrv process is available..

http://www.exploit-db.com/exploits/15957/

 
/* Use this with templates/template-twocol.html */