Saturday, June 25, 2011

ICS-CERT Publishes 2 and Updates 1 SCADA Advisories

On Friday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published two new control system advisories and updated a current advisory. The update concerns the InduSoft buffer overflow advisory issued last week. The two new advisories affect the AzeoTech DAQFactory and Rockwell’s FactoryTalk systems.

InduSoft ISSymbol

The updated advisory mainly provides gramitical corrections to the advisory with little real added value. The only minor exception to that are the two nearly identical corrections in the exploit areas of the advisory. The revision notes that an exploiter would need to craft a web page for the user to access while the ActiveX component was installed on their target system. Most technically savvy readers would have read that between the lines of the original advisory.

AzeoTech DAQFactory

The advisory notes that:

“The DAQFactory networking feature allows multiple machines running DAQFactory to interact with each other. This interaction includes sending a signal from one device to initiate a reboot or shut down of another device. Because these signals are not encrypted or otherwise protected, a successful attacker could trigger a DAQFactory system reboot or shutdown.”
In a system that is remotely accessible, this could allow an attacker with basic skills to craft an exploit that could cause system elements to shutdown or re-boot.

An upgrade is available that mitigates the vulnerability. For older systems, disabling the networking feature (if not needed) will also solve the problem as will isolating networked systems.

Rockwell Automation FactoryTalk

The Rockwell Automation advisory deals with a memory corruption vulnerability in the FactoryTalk Diagnostics Viewer that could result in a moderately skilled attacker being able to execute arbitrary code on the system. An exploit of this vulnerability would require a social engineering attack to get a user to run a corrupted configuration file.

Upgrading to a newer version of the Diagnostics Viewer should successfully mitigate this vulnerability, but Rockwell Automation notes that this is not available as a stand alone upgrade. It requires an upgrade of the entire FactoryTalk Services Platform. Even then Rockwell recommends that “customers review the Rockwell Automation Software Product Compatibility Matrix to ensure they understand the dependencies and compatibilities that may arise as a result of upgrading this product.”

Interesting Coincidence

It is interesting that earlier this week Dale Peterson at DigitalBond complained that most of the recent ICS vulnerabilities were on systems that were little used in the United States. He explained that the relatively large number of these off-shore (my term not his) vulnerabilities distorted the ICS security picture. This distortion might make it appear that the more common ICS packages used here were much less vulnerable.

Both of the new advisories published Friday affect systems that are relatively common in the United States. I’m not sure if they affect much in the way of ‘critical infrastructure’ or chemical manufacturing facilities, but they do remind the community that ICS systems here in this country are vulnerable.

No comments:

/* Use this with templates/template-twocol.html */