Yesterday ICS-CERT published alerts for systems from Clorius
Controls and Mitsubishi and an advisory for a Wind River product.
Wind River Advisory
This
advisory is for multiple vulnerabilities in the Wind River VxWorks Remote
Terminal Operating System (RTOS) reported by Hisashi Kojima and Masahiro Nakada
of Fujitsu Laboratories in a coordinated
disclosure. VxWorks is an operating system that is used in a variety of
industrial control systems. The vulnerabilities include:
• Improper input validation, CVE-2013-0711, CVE-2013-0712,
CVE-2013-0713,
CVE-2013-0714,
CVE-2013-0716;
and
• Command injection, CVE-2013-0715.
ICS-CERT notes that a relatively low skilled attacker could
remotely exploit these vulnerabilities though a couple require a user ID and password
to exploit. Successful exploitation could lead to a DoS attack in most cases
but exploitation of one of the improper validation vulnerabilities could lead
to arbitrary code execution.
The advisory notes that “[a]ccording to Wind River, software
patches” (pg 5) are available from Wind
River technical support for all VxWork versions. This wording probably indicates
that neither ICS-CERT nor the original researchers have validated the efficacy
of the patches.
It would be helpful in situations like this where a
vulnerability may affect products from multiple vendors if the advisory would
note that either the reported mitigation would work on multiple vendor products
or which vendor’s products were or were not protected by the mitigation
measure. ICS-CERT would be the only organization that could possibly address
this multiple vendor issue. As it is we must just assume that every product
that uses VxWorks has these vulnerabilities and must be separately addressed by
the using vendor.
Mitsubishi Alert
This alert
addresses a heap-based buffer overflow vulnerability in an ActiveX control in
the Mitsubishi MX SCADA/HMI product. The vulnerability disclosure (with exploit
code) was reported by Dr
IDE (not identified on the ICS-CERT alert) on the OSVDB.org web site on 3-26-13.
The remotely exploitable vulnerability could result in arbitrary code
execution.
Clorius Controls
Alert
This alert
addresses an information disclosure vulnerability in the Clorius Controls ICS
SCADA product. This remotely exploitable vulnerability with publicly available
exploit code could result in ‘loss of confidentiality’. The alert notes that
ICS-CERT is still trying to contact the researcher and Clorius Controls about
this vulnerability.
Researcher
Identification
Standard verbiage in both alerts clearly state that ICS-CERT
will provide attribution of the researcher who discovered the vulnerability
unless “unless the reporter notifies ICS-CERT that they wish to remain
anonymous”. That does not appear to be the case in either of these alerts; Dr
IDE is clearly identified in the OSVDG report so he has no anonymity beyond his
handle and ICS-CERT apparently hasn’t been able to contact the Clorius Controls
researcher. Thus it appears that ICS-CERT is slipping back into its adversarial
mode in dealing with authors of uncoordinated disclosures.
The bad news here is that the black hat community may have
access to details about the Clorius Controls vulnerability that the vendor and
owners may not be aware of. At least in the Mitsubishi alert ICS-CERT provided
a link to the OSVDB web site discussing the vulnerability so that we all have a
general picture of the vulnerability and a level playing field (though it was
seven days late).
Posts
No comments:
Post a Comment