ICS-CERT Publishes Advisory and sKyWIper JSAR

Yesterday the folks at DHS ICS-CERT published an advisory on multiple vulnerabilities on a number of Emerson products as well as a Joint Security Awareness Report (JSAR) on sKyWIper/Flame.

Emerson Advisory

The Emerson Advisory was published describing multiple vulnerabilities in the DeltaV, DeltaV Workstations, and DeltaV ProEssentials Scientific Graph applications. The vulnerabilities were reported in a coordinated disclosure by Kuang-Chun Hung of the Security Research and Service Institute - Information and Communication Security Technology Center (ICST). The Advisory (along with an earlier version) had been previously posted to the US-CERT secure portal.

The five reported vulnerabilities are:

• Cross-site scripting - CVE-2012-1814;

• SQL injection - CVE-2012-1815;

• Denial of service - CVE-2012-1816;

• Buffer overflow - CVE-2012-1817; and

• File Manipulation - CVE-2012-1818.

(Note: Those links are not yet active as of 06:30 EDT 5-31-12, give them a day or two)

These vulnerabilities are remotely exploitable by a moderately skilled attacker. The potential results vary from DOS to execution of arbitrary code. Emerson has distributed (no link available in ICS-CERT Advisory) notification about a hotfix to resolve these vulnerabilities, though the Advisory does not specifically state that either ICS-CERT or the originating researchers have verified the efficacy of the hotfix.

Dale Peterson made a very interesting point last night in a TWEET on this Advisory. He noted that the Emerson DeltaV applications are “very critical DCS software that's widely used in refineries & other CI [Critical Infrastructure]”. As such I am slightly disturbed that ICS-CERT did not publish a link to the Emerson notification; relying instead on a push of that information to owner-operators. I would be willing to bet that there are a number of installations where the point of contact information in the Emerson files is out-of-date.

NOTE: There is a typo in the link for this Advisory on the ICS-CERT web page. It reads http://www.us-cert.gov/control_systems/pdf/IICSA-12-138-01.pdf, but should read http://www.us-cert.gov/control_systems/pdf/ICSA-12-138-01.pdf .

sKyWIper/Flame JSAR

Over the long Memorial Day weekend the big cybersecurity news was the discovery of a new cyber-espionage ‘tool’ (no consensus yet on what to describe it as) called sKyWIper or Flame. It has been reported upon by CrySyS, Symantec, and Kaspersky. The JSAR provided by ICS-CERT provides no new information and a very weak summary of the information currently available on this malware.  It does make one important point however when it states that “no evidence exists that sKyWIper specifically targets industrial control systems”; at least yet.

If you want to read a good summary article about what is currently known about sKyWIper you can click on the link under the ‘Critical Infrastructure News’ tab on the ICS-CERT web page for the Tofino Security blog post on the topic. Eric Byres does his typical good job explaining cybersecurity information. This is an interesting bug with lots of implications. We’ll be talking about it for some time to come.