On Friday afternoon the DHS ICS-CERT published two
advisories for multiple vulnerabilities on MatrikonOPC and a single
vulnerability on Galil RIO-47100. Both advisories were based upon coordinated
disclosures.
NOTE: Along with a recent change in the ICS-CERT web site
format, ICS-CERT has changed their Advisories (and presumably Alerts) from .PDF
pages to .HTML pages. They may still be saved as .PDF files, but this should
remove some of the complaints heard about ICS-CERT using an ‘inherently
vulnerable’ .PDF format for their reports. I’ve even heard some really paranoid
individuals complain that ICS-CERT was using the .PDF reports to spread
spyware.
MatrikonOPC Advisory
ICS-CERT reports that two vulnerabilities [Link added 4-28-13 07:05 CDT] were reported by
Dillon Beresford of Cimation. The vulnerabilities are:
• Path traversal, CVE-2013-0673;
and
• Error handling, CVE-2013-0666
(NOTE: CVE links will not be active for a couple of days) [4-28-13 07:05 CDT]
ICS-CERT notes that a relatively low skilled attacker could
remotely exploit these vulnerabilities to gain access to system files or crash
the configuration utility. They also note that the system must be accessible
via the internet for the remote exploitation to be possible.
MatrikonOPC has produced patches that have been verified by
Dillon to mitigate the vulnerabilities. The link to the patch page in the
advisory does not work [NOTE: As of 04:00 CDT 4-29-13, this has been corrected]. Use this link (http://www.opcsupport.com/ics/support/default.asp?deptID=4590)
to the product advisory page instead. Click on the appropriate product and use
the instructions on the product page to download the patch.
Galil Advisory
ICS-CERT reports an input validation vulnerability [link added 4-28-13 07:05 CDT] in the
Galil RIO-47100 PLC that was reported by Jon Christmas of Solera Networks.
ICS-CERT notes that a moderately skilled attacker could
remotely exploit this vulnerability to execute a DoS attack.
A firmware update is available at http://www.galilmc.com/support/firmware-downloads.php
and Christmas confirms that it resolves the identified vulnerability. The link
in the advisory is good, but it takes you through a ‘You are leaving ICS-CERT’
page which I have always found to be annoying and more than a little mindless.
Interestingly the Firmware Release Notes page also explains that the latest
release fixes a buffer overflow issue not mentioned in the ICS-CERT advisory.
New Format
As I mentioned earlier, ICS-CERT has changed the format for
their Advisories and Alerts. They have gone back and updated earlier alerts (at
least through the Clorius Controls Alert from April 1st. Along with
changing from a .PDF to .HTML file format, they have significantly modified the
typography and slightly modified the lay out. In my opinion (FWIW) the changes
have detracted from the readability of the documents. This is especially true
when the document is saved in a .PDF format.
The change in format also removes two fixtures of the
reports. The recently added ‘Traffic Light Protocol’ (TLP) markings have been
removed from the documents; a good move in my opinion. The product warranty box
at the bottom of the first page of the old format has also been removed. This
was one of those legal disclaimer things that we are seeing in too many areas
of our public lives and the world would be a better place without them.
Posts
3 comments:
Both CVE links for MatrikonOPC vuln are broken (and what a user-surly website!). However, ICS-CERT Advisory can be found here:
https://ics-cert.us-cert.gov/advisories/ICSA-13-106-01
Thanks for pointing out that I failed to provide the links for the advisories. I have corrected that.
The CVE links will become active in a couple of days. I'm not sure I completely understand why this happens, but it happens every time ICS-CERT publishes CVE numbers. From time to time I include a note for new readers of the blog to notify them of the delay; I have gone back and done this in this case.
Post a Comment