Saturday, October 22, 2011

ICS-CERT Updates Duqu and Luigi

Yesterday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) issued a second update to their alert about the W32.Duqu Trojan and provided an advisory for one the round-2 Luigi vulnerabilities (leaving by my count just two round-2.1 vulnerabilities unaddressed by vendors).

Duqu and ICS Vendors/Systems


Did Duqu get over hyped? Well the latest update to the ICS-CERT alert would certainly seem to indicate that. The lead paragraph to the updated section states:

“ICS-CERT, in close coordination with Symantec and the original researchers, has determined after additional analysis that neither industrial control systems nor vendors/manufacturers were targeted by Duqu [emphasis in original]. In addition, as of October 21, 2011, there have been very few infections and there is no evidence based on current code analysis that Duqu presents a specific threat to industrial control systems.”

Boy doesn’t that make Symantec seem to be a tad bit overblown in their report? Maybe, but it gets less clear when you go to the Symantec blogs and see what they have to say. This is from Eric Chien on their late night update yesterday:

I wrote Symantec's original blog post describing the discovery of Duqu. In that blog I use the term "industrial control system manufacturers" and (after discussions with a variety of parties) we want to change that term to "industrial industry manufacturers" to more accurately define where Duqu has been found. We already made this change to our paper.”

Okay, can someone please explain to me what an ‘industrial industry manufacturer’ is? Symantec doesn’t define the term but they do note that the change in language doesn’t affect who they think is at risk. Then they add this clarifying remark:

“Considering the history of Stuxnet, the potential of the same attackers, and currently known targets, we urge industrial control system manufacturers and any other organizations who provide solutions to industrial facilities to audit their network for Duqu. The command and control IP is a reliable network indicator of Duqu infection for all the variants discovered so far.”

Well, it is still early in the Duqu story and if Stuxnet is any clue we will be talking about updates for quite some time.

Updates for Luigi 2.0


Okay that (Luigi 2.0) is my term so I better explain it; it refers to the second batch of multiple disclosures made by Luigi Auriemma back in September. There have been some individual disclosures made by Luigi since then they could be numbered 2.X sequentially. If he makes another mass disclosure it would be 3.0. Enough about terminology…

The last of the 2.0 disclosures was addressed in the ICS-CERT advisory issued yesterday and it dealt with the Progrea Movicon HMI. Three vulnerabilities were addressed, two buffer overflows (CVE-2011-3491 and CVE-2011-3498) and one memory corruption (CVE-2011-3499). A ‘hot fix’ has been developed by Progea to address these vulnerabilities.

According to the ICS-CERT Advisory a low skilled attacker could remotely exploit these vulnerabilities to conduct a DOS attack. A ‘skilled attacker’ (Sorry guys an ‘attacker with a low skill level’ is still a ‘skilled attacker’; your terminology needs to be cleaned up; try at least a ‘more skilled attacker’) could exploit these vulnerabilities to execute arbitrary code.

No comments:

 
/* Use this with templates/template-twocol.html */