Yesterday afternoon DHS ICS-CERT published three advisories;
one about a recent coordinated disclosure and two about old vulnerabilities identified
by the vendor. The new one concerns a single vulnerability in a variety of
Invensys systems. Both of the older problems deal with Siemens systems. Oh, and
remember this for later the new Advisory and one of the old ones deal with dll
vulnerabilities.
Invensys Advisory
This
advisory deals with an uncontrolled search path element vulnerability
(otherwise known as a dll hijack) in a variety of products in the Wonderware
System platform family. The vulnerability was discovered by Carlos Mario
Penagos Hollmann. The advisory was first posted on the US-CERT secure portal on
July 5th.
A moderately skilled attacker could exploit this
vulnerability and place a malicious dll in the system. To exploit this
vulnerability the attacker must have physical access to the system or be able
to manipulate a user with access to the system.
Invensys has developed a patch for the affected systems
which is available on the Wonderware
web site.
Siemens Advisories
Siemens self-reported two vulnerabilities that are being addressed
in separate advisories. The first is
an insecure SQL server vulnerability and the second is
dll loading mechanism vulnerability. As if self-reporting is not odd enough
(to be encouraged to be sure, but odd), the first vulnerability was patched in
2010 (update V5.5 SP1) and the second in 2011 (update V7.0 SP 2 Update 1). Both vulnerabilities can be remotely exploited
and there are publicly available exploits available for both.
No word about why Siemens wanted these vulnerabilities made
public at this late date. It does seem obvious that they are the ones
responsible for ICS-CERT publishing these now, but for the life of me I can’t
figure out why.
MS DLL Advisory
I’m not sure if Chris Jager knew about the two dll vulnerabilities
being reported by ICS-CERT, but in a Tweet this
afternoon he pointed us at a Microsoft
Security Advisory from earlier this month (actually updated the 17th
time earlier this month) about insecure library loading. It discusses the type
of dll injection attacks covered in the two advisories published today. It
notes that MS has provided guidance to software developers “on how to correctly
use the available application programming interfaces to prevent this class of
vulnerability”.
More importantly for system owners “Microsoft is releasing a
tool that allows system administrators to mitigate the risk of this new attack
vector by altering the library loading behavior system-wide or for specific
applications”. While this is not a control system specific tool, the fact that
this vulnerability has been found in so many ICS systems might make it an
important tool that should be in the ICS security tool box.
It might be a good idea for ICS-CERT to partner with Microsoft on making this tool specifically available to ICS owners.
Posts
No comments:
Post a Comment