Wednesday, September 7, 2011

ICS-CERT Publishes Advisories on Two Industrial Control Systems

Yesterday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published two control system advisories. One dealt with the Siemens WinCC system while the other dealt with the Scadatec Limited Procyon system.

Siemens WinCC

A new set of security researchers, Billy Rios and Terry McCorkle, have reported a memory corruption vulnerability in WinCC Runtime Advanced Loader, a component of both WinCC flexible and TIA Portal. This vulnerability was reported in limited distribution on the US-CERT secure portal on September 1st.

The vulnerability would allow an attacker with basic skills to use a specially crafted packet to execute a denial of service attack and possibly execute arbitrary code remotely. There is no known exploit publicly available for this vulnerability.

Siemens has not developed, nor is it intending to develop a patch for this vulnerability. They advise customers to keep this feature disabled on their systems except when it is being used to update firmware.

Scadatec Limited Procyon

The nSense Vulnerability Coordination Team has reported a buffer overflow vulnerability in the Scadatec Limieted Procyon HMI/SCADA product. This vulnerability was originally reported on the US-CERT secure portal on August 4th.

This vulnerability would allow a moderately skilled attacker to use a specially crafted packet to cause a buffer overflow via the Telnet daemon allowing for a denial of service attack and potentially allow the remote execution of arbitrary code.

Scadatec Limited has produced an updated version of Procyon HMI/SCADA product that is free of this vulnerability. Current customers can download the new version from

General Comments

The increased visibility of SCADA system vulnerabilities has started to produce the additional attention of security researchers that has been predicted by a number of commentators in the ICS security arena. We must assume that the portion of the Black Hat community actively interested in attacking systems has also increased their attention on industrial control systems. We should start to see apparently random attacks on such systems. Hopefully system owners will report such attacks to ICS-CERT and/or RISI.

It is interesting to see Siemens specifically decline to produce a patch or update to deal with this new vulnerability. It is good to see that the vulnerable system is disabled by default, but it is unreasonable to assume that all users will remember to re-disable the loader when they are done using it to update firmware. They are setting their customers up for failure.

No comments:

/* Use this with templates/template-twocol.html */