New ICS-CERT Vulnerability Record Set

In the last couple of days ICS-CERT has published a generic control system alert and an advisory that sets a new record for the number of multiple vulnerabilities listed in a single control system. That advisory combines information from two different alerts published last fall along with information from at least two separate coordinated vulnerability disclosures.

Generic Control System Alert

The alert issued late Wednesday, entitled “Increasing Threat to Industrial Control Systems” combines a reiteration of the data covered in the three alert updates issued on Valentine’s Day for the Basecamp tools released by Digital Bond with information about increased interest in attacking control systems. The last includes a valuable piece of threat intelligence. The Alert explains:

“ICS-CERT has recently seen a marked increase in interest shown by a variety of malicious groups, including hacktavist and anarchist groups, toward Internet accessible ICS devices. This increased activity includes the identification of Internet facing ICS devices and the public posting of IP address to various websites. In addition, individuals from these groups have posted online requests for others to visit or access the identified device addresses.”

I have previously noted that I thought that one of the main threats to control systems at high-risk chemical attacks would be from radical environmental activist groups. Recent physical break-ins at a Duke Energy coal-fired electrical power generation facility by Greenpeace activists aimed at stopping the use of coal show an increasing trend for high-profile actions to bring public attention to their cause. Spreading such actions into the cyber sphere is certainly to be expected.

ICS-CERT is to be commended for sharing this cyber-intelligence information with the control system security community. The inclusion of a listing of generic mitigation measures that system managers can use to help protect their control systems against these kinds of attacks increases the value of the information. I would also like to suggest that owners should directly contact their system vendors to see what additional actions can be taken to protect their specific system.

Record Vulnerabilities

It looks like ICS-CERT has decided to decrease the number of advisories that it has to produce by combining information from multiple disclosure sources whenever possible. The latest example of this is yesterday’s release of an Advisory about the Advantech BroadWin Access application. This advisory addresses two earlier alerts and coordinated disclosures from apparently at least two different sources (the earlier alerts pre-date the change in policy where ICS-CERT began identifying security researchers responsible for uncoordinated disclosures). Five separate researchers are identified in this advisory.

The Advisory reports 18 separate vulnerabilities in four general categories. That breaks the recently set record of 11 vulnerabilities reported in a Siemens advisory issued just last month. The categories are:

• Cross-site scripting (XSS);

• SQL injection;

• Cross-site report forgery (CSRF); and

• Authentication issues.

The advisory notes that all of the vulnerabilities are remotely exploitable with publicly available exploits for many of them. Attackers with low to moderate skills can exploit these vulnerabilities resulting in effects ranging from a DOS to running arbitrary code.

Advantech has released an updated version of WebAccess (ver. 7.0) to address these vulnerabilities. As in the Siemens advisory ICS-CERT reports varied successes with actually mitigating the problems. They note:

• ICST, iSIGHT, and ICS-CERT have validated that the new version mitigates Vulnerabilities 1 and 5−16.

• For Vulnerabilities 2 [SQL Injection] and 3 [Cross-Site Request Forgery], the patched version fixes the issue for unauthenticated users; however, the problem still remains for nonadmin project users.

• Vulnerability 4 [Information Leakage] was not patched, because Advantech does not consider it to be a security risk.

• Neither ICS-CERT nor independent researchers have validated that the new version resolves Vulnerabilities 17 [ActiveX Buffer Overflow] and 18 [SQL Injection].

The ‘non-security’ risk designation for vulnerability 4 is interesting. ICS-CERT describes the vulnerability this way:

“An unauthenticated user can access restricted information using specific URL addresses.”

From the point of view of the vendor, I suppose that since this does not directly alter the way the system behaves, it could be considered to be a fairly minor administrative issue. From the point of view of the facility owner that restricted information could be very valuable intellectual property about their manufacturing process. To decide not to patch this vulnerability sends a very bad message to current owners and potential customers.