ICS-CERT Issues First Advisory for Recent Luigi Vulnerabilities

Today the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published their first Advisory for one of last week’s Luigi vulnerability disclosures; this deals with the multiple vulnerabilities reported in Measuresoft ScadaPro Server. Measuresoft has produced a new version of their software that corrects these three vulnerabilities by disabling the identified port common to these vulnerabilities.

Vulnerabilities

There is a little more information available in this advisory about the three vulnerabilities in this system. Those three vulnerabilities, all remotely exploitable, are:

• Path Traversal – could lead to information leaks/disclosure;

• Insecure Method Call - could lead to information leaks/disclosure; and

• Stack Overflow – could result in DOS, possible remote execution of code.

The first two vulnerabilities require little skill to exploit (especially with exploit code already available) as would a denial of service attack using the third. Remote code execution would take much more skill.

No Attribution

Not only does ICS-CERT not provide attribution for the discovery of these vulnerabilities, but they go so far as to stomp their feet and cry about the lack of coordination from Luigi. Okay, that description is a bit over the top, but it does seem to be more than a bit childish. Here is what ICS-CERT published in this Advisory about the disclosure process:

“Attribution for the discovery of these vulnerabilities is not provided in this advisory because no prior coordination occurred with the vendor, ICS-CERT, or other coordinating body. ICS-CERT encourages researchers to coordinate vulnerability details before public release. The public release of vulnerability details prior to the development of proper mitigations may put industrial control systems (ICSs) and the public at avoidable risk.”

Granted, the way that Luigi communicated these vulnerabilities provides an excessive level of potential risk, but effectively dissing him because he doesn’t share the same opinion about coordinated disclosure is very short sighted. This is especially true since the security research community read the Bugtrac release the same as ICS-CERT did and knows full well who discovered these vulnerabilities.

Besides, the quick response from Measuresoft and the earlier response from Rockwell were motivated in at least some measure by the fact that these vulnerabilities were publicly disclosed. On the other hand, Siemens doesn’t seem to respond well to either coordinated or uncoordinated disclosures, so public disclosure is not the whole answer either.

System Distribution

There is one final issue raised, in passing, in this Advisory. In the ‘Background’ section of Advisory ICS-CERT notes:

“According to Measuresoft, ScadaPro is sold in multiple countries by various third-party distributors, making total deployment difficult to quantify.”

If it is hard for Measuresoft to quantify it’s total deployment, it will also be difficult for them to contact the users/owners of the vulnerable software to warn them about the vulnerability and the mitigation. Anyone that believes that each of the owners of this (and all of the other SCADA systems deployed worldwide) read the ICS-CERT web site, or this blog, or the blogs of the major reviewers of control system security issues is in for a rude awakening. I would suspect that a significant majority of the systems will never get the word about these vulnerabilities.

These are relatively minor vulnerabilities by all comments that I have been hearing. But they are a definite warning about the general problem that the control system community is going to be facing in the future. And part of that problem, a part that hasn’t been addressed as of yet, is how we communicate the vulnerabilities and their mitigations to the users instead of just each other.