Yesterday afternoon DHS ICS-CERT published an advisory
providing mitigation strategies for multiple vulnerabilities identified in an ICS-CERT
alert issued in January for a variety of Schneider PLC systems. That alert
was issued concerning vulnerabilities identified by Arthur Gervais and
disclosed during this year’s S4 Conference. Readers may remember that an update
for that alert had been issued earlier this month reporting that two of the
vulnerabilities identified by Arthur were not actually vulnerabilities. That
alert update is not mentioned in this advisory.
The Advisory
This advisory reports that there are two confirmed
vulnerabilities in the identified Schneider products. They are:
• Improper authentication – CVE-2013-0664;
and
• Cross-site request forgery – CVE-2013-0663.
The advisory reports that a relatively low skilled attacker
could remotely exploit these vulnerabilities to execute arbitrary commands on
the PLC or to modify I/O data being transmitted to or from the PLC.
According to the advisory Schneider has not produced a patch
or update to remediate these vulnerabilities. Instead they have produced a vulnerability
disclosure notification that recommends:
• That owner/operators not connect
the affected PLC modules to an untrusted network;
• If such a connection is required,
owner/operators should block all HTTP access to the module from untrusted IP
addresses using a firewall, and only allow HTTP connections from known IP
addresses from secured workstations.
Actually, the Schneider document explains things a little
differently. For the improper authentication vulnerability Schneider explains
that:
“The execution of Modbus messages
via SOAP commands is a standard function of the modules that support FactoryCast
service.”
What Schneider obviously misses is not that the SOAP
commands are a vulnerability, but that the inadequate authentication of the
source of those commands is the problem.
For the cross-site request forgery vulnerability Schneider
notes that the “vulnerability is extremely difficult to exploit”. What is
apparently left unsaid is that Schneider doesn’t think a vulnerability this
difficult to exploit is worth fixing. Oops, I forgot, ICS-CERT said that a
relatively unskilled attacker could exploit this vulnerability. I wonder who is
actually correct?
But then again, Arthur not only exploited the vulnerability
but he was able to find. Now that other researchers know that it exists and
generally how to find it, I suspect that there are a significant number of
people that could exploit this ‘extremely difficult to exploit’ vulnerability.
Isn’t it about time that we finally threw out the ‘security by obscurity’
model?
Schneider does provide
instructions for configuring a Tofino® firewall to protect against attacks
via these two vulnerabilities.
A Third Vulnerability
The vulnerability disclosure notification that describes the
two vulnerabilities identified in this advisory also discloses a third
vulnerability that was apparently identified by an internal Schneider research
effort. Schneider describes this as an ability to “crash M340 Ethernet modules
when transferring files using FileZilla FTP Client”. Schneider has produced a
firmware update that mitigates this vulnerability.
What I find interesting is that the vulnerability disclosure
notification is dated January 23rd, 2013 and I don’t recall seeing
an ICS-CERT advisory covering this third vulnerability.
Timing
Actually the timing of the Schneider document makes one
wonder why the earlier alert update was published at all. The information
provided in yesterday’s advisory was available on January 23rd so
this advisory, with a suitable explanation of why two of the vulnerabilities
were not vulnerabilities, could have been published a week before the updated
alert was published. Even if Schneider wanted to embargo that release so that
they could notify their customers, ICS-CERT could have published the advisory
on the US CERT secure portal.
Posts
No comments:
Post a Comment