Yesterday the DHS ICS-CERT published a revision to an alert
and an advisory to address the issues in an earlier alert. The systems involved
are the WAGO IO 750 and the Wonderware SuiteLink.
WAGO Alert Update
This updated WAGO
alert is updating
an alert issued five months ago concerning multiple vulnerabilities in the
IO System 750 identified by Digital Security Research Group (DSecRG). WAGO has
issued a cybersecurity bulletin
that recommends disabling two ports when ‘not actively in use’ and ensuring
that the Web Server Authentication feature remains enabled.
It is unusual that successful (well the revised alert doesn’t
say that anyone has confirmed that these measures actually work, but it sounds
as if they should) mitigation measures are put into a revised alert instead of
a final advisory. ICS-CERT doesn’t explain why they have taken this step, but I
suspect that it is because implementing these measures leaves operators set up
for future failure when they forget the reason for disabling the features and
leave them enabled when the ports are required to be used for updating firmware
for instance.
What is severely disappointing is that it took five months
for WAGO to come up with these mitigation measures which required no real work
on their part beyond publishing a notice on their web site. This would have
been a smart move on their part if it had happened within a day or two of the
publication of the original alert, pending a more structural change in the
software. At this late date it indicates that the management team doesn’t care
about security issues with their products. CAVEAT EMPTOR
Wonderware Advisory
This advisory
for a stack-based buffer overflow vulnerability is a better example of how
mitigation measures should be handled. The original alert based upon a Luigi
uncoordinated disclosure was
published just over a month ago. Invensys has produced a patch for their
SuiteLink package and its efficacy has been verified by Luigi. The thirty-five
day turnaround on an uncoordinated disclosure is very reasonable.
Posts
No comments:
Post a Comment