ICS-CERT Updates Duqu – Issues 3 GE Proficy Advisories

Yesterday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) issued an updated alert for Duqu and three separate advisories for the GE Proficy system.

W.32 Duqu Alert Update

The fourth update (third public update) of the Alert ICS-CERT originally published on October 21^st and is based upon new information provided by Symantec and the Laboratory of Cryptography and Systems Security (CrySyS) of the Budapest University of Technology and Economics (the original discoverer and namer of Duqu in the wild). Symantec’s ver 1.3 of their Duqu White Paper provides more detailed information. The ICS-CERT update does note that they are in the process of drafting an Duqu Advisory.

The good news is that a dropper for the malware has been identified. Unfortunately it is a zero-day kernel vulnerability in MS Word that allows the malware to be sent as a Word document (.doc) so we now have malware delivery systems using .PDF and .DOC files. Social engineering attacks just became that much more effective.

Another piece of good news is that another C&C server has been identified and removed from the Internet, this time in Belgium. The bad news is that researchers have identified a Stuxnet-like peer-to-peer network communications protocol that allows a machine to contact the C&C server remotely. This makes it more difficult to identify an infected machine by its communications with the C&C server.

The real bad news in all of this is that W32.Duqu is apparently continuing to evolve. The good news is that there is still no indication of any actual attacks on control systems or positive identification of control system information being targeted. Keep your fingers crossed, your AV signatures up to date, and actively monitor your networks.

GE Intelligent Platform Proficy Advisories

ICS-CERT issued separate advisories on three different components of the GE Proficy platform. The components are:

Plant Applications – Buffer overflow vulnerability, CVE-2011-1919;

Historian Web Administrator – Multiple cross-site scripting vulnerabilities, CVE-2011-3320; and

Historian Data Archiver – Buffer overflow vulnerability, CVE-2011-1918

All three advisories were previously issued on the US-CERT secure portal on August 31, 2011 to “allow users time to download and install the update” (from ‘Overview’ section on all three Advisories). Does it seem odd to anyone else that GE customers needed 2 months to download and install updates?

All three sets of vulnerabilities would allow remote exploitation by a moderately skilled attacker, but there are no known exploits available. Software improvement modules (updates) are available for all three sets of vulnerabilities.

Interestingly all three of these advisories were based upon disclosures to ICS-CERT from GE Intelligent Platforms. No word if they discovered these internally or if an outside researcher coordinated the disclosures directly with GE instead of directly contacting ICS-CERT.