Wednesday, March 6, 2013

ICS-CERT Publishes 2 Advisories – 360 Systems and Emerson

Today the DHS ICS-CERT published two new advisories; one for 360 Systems’ Image Server and one for the DeltaV MD and SD controllers from Emerson. There are some unique things about both of these vulnerabilities.

360 Systems Image Server

This advisory was originally published on the US-CERT Secure Portal and is now being publicly released. Neil Smith and Ryan Green reported the hard-coded password in a coordinated disclosure. According to ICS-CERT the affected products are video servers in use in over 3,000 local and network broadcast stations. This is certainly a new twist on the conventional idea of control systems.

The vulnerability is really a combination of a default root user with a hardcoded password. Actually the advisory uses both ‘default password’ and ‘hardcoded password’. As we saw in yesterday’s advisory, there is a distinct difference between the two. It would be helpful if ICS-CERT consistently described the vulnerability.

In any case a relatively low skilled attacker could remotely exploit this vulnerability to modify or upload video and schedule it to play immediately or at a future time.

According to the advisory:

“360 Systems has not produced a patch, new version, or firmware upgrade that removes the hardcoded password or root user account. The vendor recommends that these devices be placed on closed, nonpublic-facing networks. The vendor further recommends the use of properly configured firewalls to restrict access to only necessary ports and the use of Virtual Private Networks if access is required. For more information on proper setup of this device, users may contact 360 Systems’ customer service department.”

Considering how often we hear about holes in supposedly secure networks, this seems to be a weak response, in my opinion. I mean, how hard would it be to crack a TV station computer network and upload a zombie apocalypse emergency broadcast warning. OOPS. Hasn’t that already been done? Was it using this vulnerability? Has anyone heard?

Emerson DeltaV

This advisory addresses an uncontrolled resource consumption vulnerability in the MD and SD DeltaV controllers from Emerson. The vulnerability was reported by Joel Langill in a coordinated disclosure. The advisory was posted earlier on the US-CERT Secure Portal.

The advisory reports that a relatively low skilled attacker could use readily available network mapping tools to locally exploit this vulnerability to initiate a denial of service attack. It also reports that public “exploits may exist that could target this vulnerability”.

Emerson has created a hotfix for this vulnerability. Emerson notes that the hot fix or the installation of the DeltaV Firewall will adequately mitigate the vulnerability, but Emerson recommends that both be used.

Two editorial problems (at least I hope they are just editorial problems) with this advisory. First the advisory states that:

“Customer notification KBA_NK-1300-0007 will be sent to customers who own a DeltaV control system.”

The whole point of publishing the advisory on the US-CERT Secure Portal is to provide owners to fix their systems before the vulnerability is publicly noted. In this case, however, the “will be sent” wording indicates that the customer notification still has not been done. Hopefully this is just poor editing and not poor customer service.

The second questionable comment also applies to mitigation measures. The advisory states:

“According to Emerson and confirmed by Joel Langill, the DeltaV Controller Firewall mitigates this vulnerability; however, Emerson recommends that all users install the hotfix.”

Again the wording seems to indicate that the firewall was evaluated for efficacy by Joel, but not the hotfix. Again, most of us would have assumed that the firewall could have denied access to the vulnerable ports. I would be more interested in independent verification that the hotfix helped to mitigate the vulnerability.


Joel "the SCADAhacker" Langill said...

Good day ... the "public" report will be posted at 4pm EST on Friday, March 8 via the normal ICS-CERT notification process. At this time, it is only available via secure access to either Emerson's support portal or the US-CERT secure portal.

Based on timing, it was not possible for me to have access to a fully functional DeltaV system, including the compliment of necessary nodes such as MD and SD controllers. The first step was to verify the Compensating Control. For me, this was critical and needed to be addressed immediately (which in fact was verify before the reports were ever published), since asset owners are rarely left with alternatives when they are unable to immediately install the patches. In an operational world, it is not as easy as many think, and needs to be coordinated with not only your operational requirements, but also potential regulatory ones.

This vulnerability represents significant risk to asset owners, because it affects a large span of MD controllers in service today back to v7.x! Obviously, asset owners who have failed to upgrade their systems face other threats, which is why Emerson has focused on only providing patches for (1) current systems which can be defined as at versions 10.3.1 and 11.3.1, and (2) those that maintain active support contracts allowing them access to the EPM portal where the hotfix is available.

My view was that I wanted to provide a solution for EVERYONE who owned an MD controller (SD controllers are relatively new coming on the scene with v11, so this wasn't as big of a problem due to the software support issues mentioned). I believe that a customer is always a customer, and that an ICS purchase is a long-term commitment between supplier and purchases - however, this view is not shared by many suppliers. This means that customers should be offered solutions irrespective of whether they were considered "current" in the eyes of Emerson and also or those that may not have a current Guardian support contract. So, even if you don't have a current support contract, you have been informed via a free, public service provided by ICS-CERT of the problem and a potential solution. As a consultant, this is my primary objective, and why my services (consulting, training, etc.) focusing on helping asset owners protect their production assets, which consists of not just the ICS, but the production processes and equipment that are controlled by the ICS! Isn't that the basis of risk management!

This is no game ... users of ICS equipment invest significant resources in terms of time and money installing these systems, and a realistic approach to securing these systems has to address a prioritized set of recommendations to implement defensive controls where possible. I am not willing to accept the easy way out which is to "just upgrade your system". In many cases, this upgrade could result in far greater risk to an organization than that of the cyber threat in the first place! To address this vulnerability, you must perform a firmware upgrade to the controllers, and for those in an operational role, this represents a considerable risk to a system that is currently in use!

In closing, I have in fact verified that the firmware corrects the vulnerabilities addressed by this attack. This required me to work closely with Emerson and ICS-CERT in coordinating the release of this information. This was not something that Emerson was able to perform overnight, and we worked together patiently for quite a long period of time making sure that this patch addressed the problem without creating new problems in the meantime.

As always ...stay secure!

Jeff Potter - EPM Director-Security Architecture said...

Regarding your two questions, and a bit of background:

Emerson published the documentation (KBA, FAQ) and
associated HOTFIX on 20 Feb 2013. The vulnerability was
reported on the ICS-CERT secure portal on 22 Feb 2013, with
the more open release on 6 Mar. We would have preferred a
bit more time between our internal release and the various
ICS-CERT releases, but our releases DID go out first (so
Patrick, it is a grammar issue!).

Secondly, the DeltaV Controller Firewall mitigated this
vulnerability prior to Joel's report, but it isn't always installed in
our customer's systems. Thus our recommendation to apply
the controller HOTFIX. We lent Joel a firewall, which he was
able to test, and also the HOTFIX which he could test against
the version of DeltaV controller in his possession.

Which raises one final point: Joel's report to ICS-CERT was for
one specific version of MD controller. Emerson COULD have
said, hey, our firewall already blocks this, just buy a firewall.
OR, we could have simply fixed the specific controller and rev.
level reported, but we widened our investigation to the SD
series, and many other rev. levels. As noted at the end of Joel's
response, this was non-trivial exercise.

Hope this helps.

/* Use this with templates/template-twocol.html */