Tuesday, December 13, 2011

An Alert and an Advisory from ICS-CERT

Yesterday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) issued a new alert and a new advisory for control system vulnerabilities. The advisory concerns a vulnerability in 7T IGSS and the alert deals with multiple vulnerabilities in a Schneider Electric system.

SafeNet Sentinel

The advisory actually concerns an input sanitization vulnerability in SafeNet Sentinel HASP Software Rights Management (HASP-SRM) license management application but the 7T IGSS control system software uses this program for its digital license manager. The vulnerability was discovered by Carlos Mario Penagos Hollman of Synapse-labs.

The advisory notes that a moderately skilled attacker could use this vulnerability to inject HTML code into the configuration file, but it does not provide ICS-CERT’s normal description of the potential impact of such injection. They provide the minimally helpful information that due to the many factors that are unique to each organization “ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation”.

SafeNet has provided a patch to mitigate the vulnerability and provides more detailed information on the vulnerability and the patch installation.

Schneider Electric

The alert concerns a public reporting of a partially coordinated disclosure (ICS-CERT was apparently given at least some advance notice of the disclosure) by Ruben Santamarta of a vulnerability in the Schneider Electric Quantum Ethernet Module. NOTE: That convoluted sentence describes a situation that probably has a very interesting story associated with it, perhaps dealing with a recent post about another Schneider vulnerability reported in a post at Digital Bond’s SCADA Security Portal.

The multiple vulnerabilities concern hardcoded credentials in three different services associated with this product. There is a long list of affected systems in this alert. The vulnerabilities in two of the services could allow “remote attackers the ability to view the operation of the module’s firmware, cause a denial of service, modify the memory of the module, and execute arbitrary code”. The third service vulnerability only (small sarcasm alert) may allow “an attacker to modify the module website, download and run custom firmware, and modify the http passwords”.

Schneider has a ‘fix’ developed to remove two of the services, but it is not yet posted to their web site. Of course, this fix will not be too helpful for organizations that actually use these services (Telenet Port and Windriver Debug Port).

No comments:

/* Use this with templates/template-twocol.html */