Sunday, April 28, 2013

ICS-CERT Publishes Two Friday Advisories

On Friday afternoon the DHS ICS-CERT published two advisories for multiple vulnerabilities on MatrikonOPC and a single vulnerability on Galil RIO-47100. Both advisories were based upon coordinated disclosures.

NOTE: Along with a recent change in the ICS-CERT web site format, ICS-CERT has changed their Advisories (and presumably Alerts) from .PDF pages to .HTML pages. They may still be saved as .PDF files, but this should remove some of the complaints heard about ICS-CERT using an ‘inherently vulnerable’ .PDF format for their reports. I’ve even heard some really paranoid individuals complain that ICS-CERT was using the .PDF reports to spread spyware.

MatrikonOPC Advisory

ICS-CERT reports that two vulnerabilities [Link added 4-28-13 07:05 CDT] were reported by Dillon Beresford of Cimation. The vulnerabilities are:

• Path traversal, CVE-2013-0673; and
• Error handling, CVE-2013-0666

(NOTE: CVE links will not be active for a couple of days) [4-28-13 07:05 CDT]

ICS-CERT notes that a relatively low skilled attacker could remotely exploit these vulnerabilities to gain access to system files or crash the configuration utility. They also note that the system must be accessible via the internet for the remote exploitation to be possible.

MatrikonOPC has produced patches that have been verified by Dillon to mitigate the vulnerabilities. The link to the patch page in the advisory does not work [NOTE: As of 04:00 CDT 4-29-13, this has been corrected]. Use this link ( to the product advisory page instead. Click on the appropriate product and use the instructions on the product page to download the patch.

Galil Advisory

ICS-CERT reports an input validation vulnerability [link added 4-28-13 07:05 CDT] in the Galil RIO-47100 PLC that was reported by Jon Christmas of Solera Networks.

ICS-CERT notes that a moderately skilled attacker could remotely exploit this vulnerability to execute a DoS attack.

A firmware update is available at and Christmas confirms that it resolves the identified vulnerability. The link in the advisory is good, but it takes you through a ‘You are leaving ICS-CERT’ page which I have always found to be annoying and more than a little mindless. Interestingly the Firmware Release Notes page also explains that the latest release fixes a buffer overflow issue not mentioned in the ICS-CERT advisory.

New Format

As I mentioned earlier, ICS-CERT has changed the format for their Advisories and Alerts. They have gone back and updated earlier alerts (at least through the Clorius Controls Alert from April 1st. Along with changing from a .PDF to .HTML file format, they have significantly modified the typography and slightly modified the lay out. In my opinion (FWIW) the changes have detracted from the readability of the documents. This is especially true when the document is saved in a .PDF format.

The change in format also removes two fixtures of the reports. The recently added ‘Traffic Light Protocol’ (TLP) markings have been removed from the documents; a good move in my opinion. The product warranty box at the bottom of the first page of the old format has also been removed. This was one of those legal disclaimer things that we are seeing in too many areas of our public lives and the world would be a better place without them.


Unknown said...

Both CVE links for MatrikonOPC vuln are broken (and what a user-surly website!). However, ICS-CERT Advisory can be found here:

Unknown said...
This comment has been removed by the author.
PJCoyle said...

Thanks for pointing out that I failed to provide the links for the advisories. I have corrected that.
The CVE links will become active in a couple of days. I'm not sure I completely understand why this happens, but it happens every time ICS-CERT publishes CVE numbers. From time to time I include a note for new readers of the blog to notify them of the delay; I have gone back and done this in this case.

/* Use this with templates/template-twocol.html */