Yesterday the DHS ICS-CERT published a new
advisory concerning multiple vulnerabilities reported in two applications
provided by WellinTech; KingView and KingHistorian. These vulnerabilities were
reported by Carlos Mario Penagos Hollman and Dillon Beresford in a coordinated
disclosure.
The Vulnerabilities
The vulnerabilities are remotely exploitable and can be
exploited by a moderately skilled attacker. The Advisory notes that four of the
vulnerabilities could result in execution of arbitrary code and the fifth (path
traversal) would allow access to process information. The vulnerabilities include:
• Stack-based buffer overflow;
• Heap-based buffer overflow;
• Out-of-bounds read;
• Path traversal; and
• Improper restriction of operation
within the bounds of a memory buffer.
WellinTech has produced separate patches for KingView
and KingHistorian.
ICS-CERT reports that Hollman and Beresford have validated the patches.
Information Sharing
There is one small oddity in this advisory. Typically when
ICS-CERT reports on a coordinated disclosure it posts the information initially
on the US-CERT limited access server so that owner/operators have a chance to
patch their systems before the vulnerability becomes public knowledge. ICS-CERT
usually reports that this has happened in the overview section of the advisory;
it did not do so in this case. It is not clear whether this was just an
omission of the comment (inadvertent or otherwise) or if ICS-CERT did not post
this advisory on the restricted access server for some reason.
If it is the later, I’m not sure that it would be a
significant change in process. We have no idea how many control system owners
have applied to obtain (or been approved to obtain) access to that US-CERT
server, but I would be very surprised if it were a significant fraction of the
actual owners in the US. Even those that do have access probably don’t utilized
it often enough to be assured of the early warning being made available through
these restricted releases.
There has to be some way to push this information to the
user level. I’m not sure how well vendors do in this regard (and I would assume
that some do it better than others and some don’t do it at all), but from an
infrastructure protection point of view this is at least partially a
responsibility of DHS and thus, by default, ICS-CERT. To be fair ICS-CERT does
make an effort; just recently they started Tweeting (@ICS-CERT) about these vulnerability
advisories, but they only currently have 93 followers and most of those are
commentators like me.
For critical infrastructure control systems, there needs to
be some sort of registration requirement where ICS-CERT maintains a registry of
control system owners that allows them to push these alerts and advisories
directly to security managers at the facility level. Then the owners could make
a timely decision on how to address the vulnerabilities in their systems.
Posts
No comments:
Post a Comment