Saturday, December 3, 2011

ICS-CERT Updates Two Siemens Alerts and Issues New Alert

Yesterday afternoon the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) updated two recently released alerts for Siemens control systems and issued a new alert for the CoDeSys, a SCADA/HMI product.


The two Siemens alerts were issued earlier this week based upon vulnerability reports published by Luigi. They affected the Siemens Automatic License Manager and the SIMATIC WinCC system. Both of the updates are essentially a confirmation of the identified vulnerabilities by Siemens along with their evaluation of the potential vulnerability impacts. There are no substantial differences between the Siemens characterization and those reported by Luigi.

This is a pretty quick, positive response from Siemens. It would have been nice for this to include an indication of when Siemens would patch the system, but the fact that ICS-CERT and Siemens are cooperatively working the issue is a positive step forward.


The vulnerability reported in the CoDeSys alert appears to be a pretty standard buffer overflow vulnerability in an HMI. One would expect that exploitation of this vulnerability (a proof-of-concept exploit is publicly available) could result in a DOS attack or perhaps a remote execution of arbitrary code.

What makes this alert interesting is the juxtaposition of certain ICS-CERT code phrases. We start off with the “is aware of public reporting” in the first paragraph; this typically means that there has been an uncoordinated disclosure. The second paragraph leads with “had been [emphasis added] coordinating the vulnerability with the security researcher and affected vendor” which indicates that this was initially a coordinated disclosure.

Combine the two in the same ICS-CERT alert and one would assume that the researcher, Celil Unuver of SignalSEC Labs, had gotten impatient with the rate of progress on developing a mitigation strategy for this particular vulnerability report. This is one of the common justifications we hear from researchers who do not try to cooperatively release their vulnerability discoveries. So this is another set-back in the road to security researchers, vendors and ICS-CERT working cooperatively to fix improve control systems security.

Fortunately, the apparent progress at Siemens far outweighs this set-back.

No comments:

/* Use this with templates/template-twocol.html */