Thursday, November 15, 2012

ICS-CERT Updates CoDeSys Advisory – Sort of

Yesterday DHS ICS-CERT published a new advisory about a novel twist on an earlier CoDeSys advisory; no not the Wightman one from April, but the Luigi-Unuver one from January. That advisory identified, among other vulnerabilities, a stack-based overflow vulnerability based on Port 8080/TCP. The new advisory today identified a stack-based overflow vulnerability based on Port 80/TCP in the ABB AC500 PLC Webserver application that is based upon the CoDeSys Webserver.

The new advisory does not give credit for the identification of the vulnerability so one would assume that it came from ABB. It does note that there is a publicly available exploit code for the vulnerability; one would expect that it refers to the Luigi disclosure on the CoDeSys vulnerability.

Yesterday’s advisory notes that the ABB patch for this vulnerability was made available last December. This is interesting in that this is about the same time that the original Unuver Alert and shortly after the initial Luigi disclosure. It seems that ABB was faster replying to the CoDeSys vulnerability than the original manufacturer.

That makes one think about something that was said about the Wightman discovery of the other CoDeSys vulnerability. The DigitalBond blog by Wightman noted that:

“I mentioned at the beginning a success story. The tools do not work on at least one of the vendor’s products, who chooses to remain anonymous. The vendor has a security development lifecycle (SDL) that included threat modeling. They identified the threat of uploading rogue ladder logic and other malicious files, saw that this was not addressed by the CoDeSys runtime, and added a “security envelope” around the runtime.”

I don’t know who the anonymous vendor is, but this appears to be the same sort of forward thinking security effort that was apparently demonstrated by ABB in this instance. The only question is why did ABB disclose this issue to ICS-CERT at this time. Maybe they want some recognition for their security efforts.


Joel "the SCADAhacker" said...

There are actually 2 different vulns here. Luigi's targets the Gateway Server which is a PC-based component used to communicate with a field device. The ICS-CERT (and ABB) vulnerability targets the Web Server component of the Control Runtime System that is running inside the AC500 PLC.

Not knowing what Luigi actually tested, but looking at his original disclosure, these two are not related, as he was targeting the simulated runtime environment (RTE) component which is running on a Windows 2000/NT/XP platform. This is not a credible test that devices would be similarly vulnerable.

Joel "the SCADAhacker" said...

Forgot to add ... ABB disclosed this vulnerability via their public cyber security advisory website on April 20, 2012, so it would appear that ICS-CERT is late in communicating this out ... which BTW ... it still has not posted to their RSS or Twitter feeds!

/* Use this with templates/template-twocol.html */