ICS-CERT Publishes Two Advisories

In the midst of a dysfunctional government’s fiscal fiasco the DHS ICS-CERT published two control system security advisories yesterday, one a DNP3 advisory for Alstom e-Terracontrol and another HMI advisory for Wonderware InTouch.

Alstom Advisory

This advisory is for an improper input validation vulnerability reported by Adam Crain and Chris Sistrunk in a coordinated disclosure (#9 of 25 listed on the Project Robus web page). Alstom has produced a patch to mitigate this vulnerability and Adam and Chris have verified the efficacy of that patch.

ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability to execute a denial of service attack on the system.

Wonderware Advisory

This advisory is for an improper input validation vulnerability reported by Timur Yunusov, Alexey Osipov, and Ilya Karpov of the Positive Technologies Research Team in a coordinated disclosure. Wonderware has produced an updated version of InTouch that mitigates this vulnerability and the team from Positive Technologies has verified the efficacy of the new version. ICS-CERT had released this advisory to the US-CERT secure Portal library on October 03, 2013.

ICS-CERT reports that a relatively low skilled attacker could exploit this vulnerability to gain access to system information or execute a denial of service attack. ICS-CERT says that this vulnerability cannot be remotely exploited; they note that the “exploit is only triggered when a local user runs the vulnerable application and loads the malformed XML files” {page 2}. It seems clear that a remote exploit would be possible through a social engineering attack.

According to the Positive Technologies web site that organization reported this vulnerability to Invensys on 12-16-13 along with three other vulnerabilities in the same system. Those reported vulnerabilities were:

• PT-2013-40: Resource Exhaustion;

• PT-2013-38: Multiple SQL Injection vulnerabilities; and

• PT-2013-37: Multiple Cross Site Scripting (XSS).

Positive Technologies reported that Invensys publicly reported all four vulnerabilities on October 6^th. It is not clear why ICS-CERT did not include these other, more serious, vulnerabilities in this advisory especially since Positive Technologies reports that the same Invensys update fixed all four vulnerabilities. The Wonderware notifications are only available to registered system owners so I cannot verify the Positive Technologies claims.