Sunday, November 6, 2011

ICS-CERT and More Advantech Vulnerabilities

On Friday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) updated a previous advisory and published a new advisory for vulnerabilities on Advantech control system products. The products are their OPC Server and the BroadWin WebAccess HMI.

BroadWin WebAccess

Last March ICS-CERT published an Alert about an RPC vulnerability on the Advantech BroadWin WebAccess HMI which was followed in April by the publication of an Advisory providing more details about the vulnerability reported by Ruben Santamarta. The vulnerability would allow a moderately skilled attacker to use a publicly available exploit to remotely execute arbitrary code on the vulnerable systems.

This update announces that:  “Advantech/BroadWin has notified ICS-CERT that a patch will not be issued to address this vulnerability.” (page 1 of the Advisory) There is no explanation of why that decision has been made seven months after the original advisory was published. This leaves users with just the standard ‘security considerations’ found in the installation manual or the ICS-CERT standard practices to prevent this kind of attack. It doesn’t sound terribly good for the home team.

Then again, if you look at the BroadWin web site, one of the main selling points for their system (#2 on their list) is: “Remotely configure and support automation systems.” If this is really important to an organization, they are going to have to take care to ensure that their communications with those systems are truly secure. Buyer beware.

Oh yes, a CVE number has now been assigned to this vulnerability; CVE-2011-4041. At least that is what the Advisory update says (page 2). The link provided returns an error message stating that the CVE was not found.

OPC Server

The new advisory for the Advantech OPC Server describes a buffer overflow vulnerability (CVE-2011-1914; same error message for this link as well) that would allow an attacker with relatively low skill level to execute a DOS attack and a more skilled attacker the ability to remotely execute arbitrary code. Patches are available for the affected products. As is usual for coordinated disclosures, this advisory was published on a limited access US-CERT server “to allow users time to download and install the update” (page 1).

No comments:

/* Use this with templates/template-twocol.html */