Wednesday, October 12, 2011

ICS-CERT Updates Two Notices and Issues New Advisory

This has been a busy week for the folks at the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT); they updated a recently issued alert and an advisory and issued a new advisory. The Unitronic Advisory was updated as was the Alert for ULE-OCP; actually that alert was re-issued after ICS-CERT got names straightened out. A new advisory was issued for Honeywell’s TEMA system.

Open Automation Software

The OPC Systems Alert that was published on Monday as part of the ICS-CERT response to the latest Luigi disclosures has been superseded by a new alert that corrected some apparent system naming errors that had been included in the Luigi documentation. Amazingly the link to the superseded document still works. Unfortunately, ICS-CERT cannot blame this error on Luigi because they refuse, as a matter of policy, to disclose the names of security researchers who release vulnerability information through an uncoordinated disclosure process.

BTW: I had an error in my blog posting on Monday’s three Alerts. Fortunately, Dan, a sharp eyed reader, caught the error and notified me of the problem. When I went to correct the problem this new version of the alert was already published and I put the link to the corrected document in that post. If anyone is interested that original Alert can be found here, at least for the time being. [NOTE: As of 1-12-12 this old alert is no longer available via this link. I'm not sure when it went dead]

Unitronics UniOPC

If this revision was not written by a lawyer is had to have at least been directed by a lawyer, probably the vendor’s lawyer. This is a three part change that you have to be very alert to track. The first change adds a footnote to a link to the web site of the third party vendor that provided the offending component. The second changes “other applications that support OLE for Personal Computers (OPC)” to read “other OPC applications”. The final revision changes “resides in the https.ocx component of ‘IP*Works! SSL’” to read “resides in the https50.ocx component of “IP*Works! SSL” and removes the footnote link to the third party vendor web site. This is a highly consequential change [Sarcasm Warning].

Honeywell Temaline Access Control

This new Advisory for the Honeywell Enterprise Buildings Integrator (EBI) system is based upon a coordinated disclosure by Billy Rios and Terry McCorkle. If you haven’t heard about this dynamic duo you certainly will; they discovered 665 vulnerabilities in 75 HMI applications in 100 days (see the Digital Bond posting for more details; make sure to read the Reader Comments) and coordinated them all through ICS-CERT. In any case this doesn’t look like it belongs in the list of 665 vulnerabilities and it isn’t really about an industrial control system as chemical engineers think about such systems, but it is potentially important to chemical facility security none-the-less.

It does involve a component of Honeywell’s Enterprise EBI called Temaline. According to the Honeywell web site:

“Honeywell Temaline offers handling and monitoring of electronic access control, visitor/contractor management, time and attendance and mustering. Integration with security management, enterprise resource planning (ERP) and closed-circuit television (CCTV) systems provides one-window access to and control over the cardholder database to determine who is allowed access to what places and at what times.”

The vulnerability occurs in the Tema Remote Installer that includes an ActiveX function that is “configured to ignore file authentication”. A moderately skilled attacker could remotely exploit this vulnerability to craft, download and install an MSI file that could allow execution of arbitrary code. It would seem to me that that code could include allowing an attacker physical access through the security system by any number of means.

Honeywell developed a patch for this vulnerability; unfortunately that patch also kills legitimate uses of the offending MSI file. Work-around instructions for that issue are included in the patch directions.

No comments:

/* Use this with templates/template-twocol.html */