Saturday, April 2, 2011

ICS-CERT Updates Siemens Luigi Vulnerabilities

Yesterday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) issued an advisory providing updated information about the control system vulnerabilities identified last month by Luigi in the Siemens Tecnomatix Factory Link product. ICS-CERT had briefly provided a brief alert about the six vulnerabilities identified in this system.

The advisory provides a description of each of the three categories of vulnerabilities, including a brief description of each individual vulnerability, a note about the exploitability, a note that a publicly available exploit exists, and the level of ability an attacker would need to have to exploit the vulnerability. The three categories are:

• Buffer overflow (2 vulnerabilities)
• Absolute Path Traversal (3 vulnerabilities)
• NULL Pointer Dereference (1 vulnerability).
The advisory provides links to the Siemens web site for their:

Patch;
Vulnerability advisory; and
Recommended security practices.
This is a pretty quick response by Siemens to a blind-sided announcement of multiple vulnerabilities in one of their older systems. In fact the ICS-CERT advisory notes that Siemens has announced that “FactoryLink is now considered a mature product and will not offer FactoryLink after October 2012”. There is no indication how long Siemens will continue to provide support for this product. Popular software companies like Microsoft cut off support after just a handful of years, but ICS software may be used for decades.

ICS-CERT provides their standard security advice in the mitigation section of the advisory. Dale Peterson has an interesting discussion about this advice over on his blog. [Full Disclosure: I periodically write guest posts for the DigitalBond blog]

Early Warning and Indicator Notice

ICS-CERT also published a CERT Early Warning and Indicator Notice. This is a listing of sites where there is “initial reporting of suspected malicious activity on critical infrastructure / key resources (CIKR) networks”. In keeping with the distribution instructions for this UNCLASSIFIED document, if you are not a person “who implement(s) network security measures or make cybersecurity decisions” you should not look at this document. I apologize; I’m not and I did; please don't send the info police to get me.

I suppose that if I spent some time on the main CERT web site I would be used to seeing this type publication. If this is a listing of sites that contain malicious code, worms, bugs and other nefarious stuff, then I would think that CERT would want to broadcast this document far and wide. That would help people avoid this stuff. Of course, if CERT was wrong about any of the sites it would leave them open to all sorts of complaints and suits. So they just spread the word to those who block sites to people working on critical networks.

None of the web site names listed (with an interesting substitution of [dot] for the actual symbol in the URL) look like ones that I would be inspired to click on, but there are some that might be of apparent interest to some of my friends and family. I would really like to warn them, but I’m afraid they’re not cleared for this level of UNCLASSIFIED information.

No comments:

 
/* Use this with templates/template-twocol.html */