Yesterday (lost in the cybersecurity EO and State of the Union
hoopla) the DHS ICS-CERT published two advisories addressing buffer overflow
vulnerabilities in industrial control systems. The advisories addressed
vulnerabilities in products from Schneider and WellinTech.
Schneider Advisory
This
advisory addresses a heap-based buffer overflow in the Accutech Manager
application from Schneider. The vulnerability was reported by Aaron Portnoy of Exodus Intelligence in a coordinated
disclosure (more about this later) and according to the advisory Aaron has
verified that the
update provided by Schneider effectively mitigates the vulnerability.
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit this vulnerability using publicly available code and it
could allow the attacker to execute arbitrary code on the system.
The advisory also notes that Schneider recommends closing
Accutech Manager when not actually using it. ICS-CERT (apparently) also
recommends ensuring that the vulnerable port (2537/TCP) is not accessible from
the internet
WellinTech Advisory
This advisory addresses a memory corruption buffer overflow
in the kingMess application within the KingView product. The vulnerability was
reported by Lucas Apa and Carlos Mario Penagos Hollman of IOActive in a
coordinated disclosure. They have also verified that the patch produced by WellinTech
fixes the vulnerability.
ICS-CERT reports that a highly skilled attacker could
remotely exploit this vulnerability to execute arbitrary code on the system.
It’s interesting to note that WellinTech reportedly released
the patch on November 15th of last year and ICS-CERT is just now
publishing the advisory. This may be because WellinTech did not disclose the
vulnerability to ICS-CERT until recently.
New Twist on
Coordinated Disclosure
The Schneider advisory has something that I don’t recall
seeing in a coordinated disclosure advisory before, a report that there is
publicly available exploit code for the vulnerability. Typically the researcher
keeps any exploit code they developed tightly held, only sharing it with the
vendor. There is nothing specific about who has released the exploit, so I can’t
tell from the advisory if it was Aaron who released the exploit code or some
other researcher who independently discovered the vulnerability.
A look at the Exodus
Intelligence (Aaron’s employer) web site sheds some light on the situation.
Exodus Intelligence offers their customer two different types of ‘vulnerability
intelligence data feeds’. A ‘Zero-day Feed’ offers to their customers
information on vulnerabilities (including exploit code) just after Exodus
notifies the vendor of the vulnerability. I’m assuming that there is some sort
of non-disclosure agreement that goes along with this feed.
A separate (and presumably cheaper) ‘Day of Disclosure Feed’
provides the same information to Exodus customers the same day as the vendor
publicly announces the availability of the mitigation for the vulnerability.
Again this includes a copy of the exploit code for the vulnerability. I’m
assuming that this is the exploit code for the Schneider vulnerability that is
referenced in the advisory.
It is interesting to me to see how many different business
models are beginning to grow out of the white hat side the cybersecurity
universe. Researchers need to make money to support their nasty habits like
eating and bathing and these varied business models will make it easier for
these folks to keep plying their trade keeping software vendors on their toes.
Posts
No comments:
Post a Comment