This afternoon the DHS ISC-CERT published to control system
security advisories. One was a Crain-Sistrunk DNP3 vulnerability on Televen
RTUs and the second was a NULL pointer dereference vulnerability in the 3S
CoDeSys Runtime Toolkit. Both were coordinated disclosures.
Schneider DNP3
Advisory
The DNP3 vulnerability was a standard improper input
validation vulnerability. According to the Robus web site, this is number 16 of
now 28 (they have recently updated the total number) coordinated disclosures
that Crain and Sistrunk have made based upon their proprietary fuzzer
technology; still 12 more DNP3 vendors to go.
This advisory
was originally posted on the CERT secure portal back on January 6th
and it was disclosed on the Schneider Electric web site on December 30th.
Schneider has produced a patch to mitigate the single vulnerability (based upon
the CVSS v2 score it is probably the serial version of the vulnerability).
There is no mention in the Advisory if Crain-Sistrunk were given a chance to
validate the patch.
According to ICS-CERT a relatively low skilled attacker
could remotely exploit this vulnerability to execute a denial of service
attack.
The internal Schneider version
of the advisory (.PDF Download) Schneider did more than just fix this vulnerability
in the firmware update. They note that:
“In addition to better checking
DNP3 input for malformed packets, the J0 firmware includes features for
encryption, authentication, improved logging and DNP3 connection port
validation.”
CoDeSys Advisory
This advisory identifies
a vulnerability reported by Nicholas Miles. 3S has developed an update that
corrects the vulnerability and Miles has reported that it effectively mitigates
the problem.
ICS-CERT report that a moderately skilled attacker could
remotely exploit this vulnerability to cause a system crash within the Runtime
Toolkit appliecation.
ICS-CERT provide a URL for the CoDeSys download
page, but I don’t actually see this update unless it is the SP3 Patch 9
that was released last week (1-24-14), but it sure doesn’t look like it from
the details provided.
Missed
Vulnerabilities
There have been a couple of TWITTER notices by Joel Langill
(@SCADAHacker) about ICS vulnerabilities
that have not yet been noticed by ICS-CERT:
@SCADAhacker
#ICS Vuln Alert:
Emerson Network Power Avocent MergePoint Unity 2016 KVM Directory Traversal
Vulnerability http://h4ckr.us/1jDnLt4
@SCADAhacker
#ICS Vuln Alert
- #Schneider
- Floating License Manager Unquoted Service Path Vulnerability (15/01/2014) http://h4ckr.us/1fpveXu
#SHnews
Posts
No comments:
Post a Comment