Wednesday, April 13, 2011

ICS-CERT Publishes Two New Advisories

Today, the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published two new SCADA advisories in the Wonderware InBatch Client and the Honeywell ScanServer. Both vulnerabilities were discovered by security researchers and have patches that have been developed by the vendor and verified by ICS-CERT.

Wonderware InBatch

This new Wonderware vulnerability is similar to the earlier reported vulnerability in the Inbatch Server in that it is a buffer overflow vulnerability. The difference is that this vulnerability is in the Client ActiveX control and it is not covered by the earlier patch. Additionally, this vulnerability would be more difficult to exploit because it would require a social engineering attack to convince the user to access a malicious host.

No direct link to the patch is provided in this advisory. Invensys recommends that registered users log into the Wonderware Developer Network or contact Wonderware Tech Support. Additional information can be obtained by logging into the Invensys Cyber Security Updates site.

Honeywell ScanServer

The reported Honeywell vulnerability is found in its ScanServer, a component of their Web Toolkit. The toolkit can be included in the Honeywell SymmetrE building control systems product or as a stand alone tool to be used with other software products. According to the ICS-CERT advisory explains:

“When a client system accesses a web page created with the vulnerable version of Honeywell’s Web Toolkit, it will receive an ActiveX component that is vulnerable to exploitation if the client system subsequently visits a malicious website.” (page 1)
The publicly available proof of concept (PoC) code could allow a moderately skilled attacker to create an exploit that would allow remote execution of arbitrary code. Implementing the exploit would require convincing the target to visit a malicious web site.

The advisory provides a detailed discussion of the mitigation measures that include downloading the “the updated version of Web Toolkit ScanServer component build 862.1.10.1”. The remaining mitigation measures will depend on the type system involved.

Spear Phishing

It is interesting that both of these vulnerabilities require the use of social engineering tools. Since the previous report from ICS-CERT was the NCCIC report on spear phishing, it almost seems as if the web site owner knew these advisories were coming. Well, actually they almost certainly did; these advisories have been in the work for some time with ICS-CERT apparently being contacted by the researcher and then working with the vender to verify the vulnerability and the effectiveness of the mitigation.

In fact, I would assume that the reason for the unusual posting of an NCCIC report on the ICS-CERT site was the fact that these two vulnerabilities were quickly approaching publication. I think that it would have been more effective if all three documents were released on the same day and some one at ICS-CERT had published a more reader friendly editorial going into more detail how different social engineering attacks were crafted.

No comments:

 
/* Use this with templates/template-twocol.html */