This afternoon the DHS Industrial Control System Emergency Response Team (ICS-CERT) published two advisories for vulnerabilities in control systems. The first was an update of the Rockwell response to the latest round of Luigi disclosures. The second is a new vulnerability in the Unitronics UniOPC.
Rockwell
This revision of the Rockwell advisory published last week brings to a close the vulnerabilities disclosed by Luigi in Rockwell’s RSLogix 5000 and FactoryTalk products. Patches are now available for all of the affected products and versions. I don’t know how hard it was to patch these problems, but Rockwell was certainly prompt in their response to this disclosure.
Unitronics
The vulnerability identified in the UniOPC Server points out an issue that I have discussed previously, flaws in a third-party component of a control system. In this case the security researchers, Billy Rios and Terry McCorkle, identified the flaw in the control system, improper handling of input, that was traced back to a component of IP*Works! SSL. Nothing in this advisory explains if this problem is restricted to just the version of the component used in UniOPC Server or whether this vulnerability could be expected to be found in all products using this version of IP*Works! SSL.
ICS-CERT reports that a low to moderately skilled attacker could remotely exploit this vulnerability potentially causing a system crash or executing arbitrary code.
Unitronics has provided an updated version of the product for download and recommends that all users install the new version. The new version does not include the offending IP*Works! SSL component. Unfortunately, ICS-CERT reports that installing the new version of UniOPC Server does not actually mitigate the problem as it does not remove the problem file. The security researchers have provided ICS-CERT (and it is included in the Advisory) with a suggested method for removing the problem file after the new version has been installed.
It is a shame that Unitronics did not include the removal of https.ocx in their install process.
No comments:
Post a Comment