Yesterday ICS-CERT published advisories for control systems
vulnerabilities in two control systems products; one a demonstration product
that doesn’t really control anything and the other a distributed control system
that is used in a wide variety of situations.
RealWinDemo Advisory
This advisory
describes a DLL hijack vulnerability in RealWinDemo and RealWin products from
RealFlex; both products are generally used as sales demonstration tools, but
RealWin has been used in small automation projects. The vulnerability was
reported by Carlos Mario Penagos Hollmann.
A relatively low skilled attacker could exploit this
vulnerability given local system access. A successful exploit could allow for
arbitrary code execution. An updated version of the product is available for
download.
Honeywell HMIWeb Browser Advisory
This advisory
describes a browser buffer overflow vulnerability in the HMIWeb Browser used by
both Honeywell Process Solutions and Building Solutions products. This advisory
was originally published about 100 days ago on the US-CERT secure portal to
allow for customer implementation of the patches provided by the vendor. The
vulnerabilities were originally disclosed by the Zero Day Initiative (ZDI).
This ActiveX control vulnerability in the HMIWeb Browser
would allow a medium skilled attacker to remotely exploit the vulnerability and
execute arbitrary code on the system. Application of the available patches is a
tad more difficult than the process used by most vendors and is dependent on the
type Honeywell product used; just read the advisory, I’m not going to try to
explain it here.
There is an interesting ‘Additional Precautions’ section to
this advisory that seems odd to me. It reads (pg 3):
• Do not use a Station node to
connect to the Internet for the purposes of Web browsing.
• If a Station node is connected to
the Internet, do not use Station or Internet Explorer to browse the Internet,
or limit this usage only to trusted Web sites.
While this seems to be the standard type warning about
Internet facing control systems it seems to ignore human nature. If a web
browser is available on a system connected to the Internet, it is going to be
used to access the Internet by bored operators when no one is around. Almost by
definition they will not be using it to access trusted Web sites, porn and
poker sites come quickly to mind. Blocking such sites will work for a while,
but someone will inevitably discover a work-around the block and share it with
others. Security training will help, but I was taught as a young NCO in the
Army not to give an order you know won’t be obeyed. Have fun with this.
Posts
1 comment:
Having an Internet browser installed in a station is not necessarily giving you access to the Internet. This requires much more, both in firewall settings on the process control network as well as configuration of the browser to connect to the corporate proxy server. I believe the warning's intention is to stay away from allowing Internet browser connectivity from a process control network based station.
The ease of connecting as you suggest does not exist
Post a Comment