Today DHS ICS-CERT published three advisories; a unique Crain-Sistrunk
DNP3 vulnerability, a mitigation effort update and an advisory from the secure
portal.
Schneider Advisory
This advisory
addresses an Uncontrolled Resources Consumption Vulnerability in the Schneider
Electric ClearSCADA series of products. The vulnerability in the DNP3 system
was reported by Crain-Sistrunk in a coordinated disclosure. Schnieder has
produced a new software version that mitigates the vulnerability and Adam Crain
has verified the efficacy of the fix.
ICS-CERT reports that a moderately skilled attacker could
remotely exploit the vulnerability to cause DNP3Driver.exe to hang causing an
interruption in the system processing. Essentially this is a denial of service
(DOS) attack vector.
According to the Schneider Electric web site – they publicly
disclosed this vulnerability on December 5th, 2013.
Sierra Wireless
Advisory Update
This advisory
update provides additional information about mitigation measures for the
vulnerability reported
last week. Sierra Wireless provides a vulnerability
note dated January 10th suggesting that over-the-air firmware
updates should not be done because “the update process, password data is
transmitted to the device”. It recommends that the over-the-air programing
feature be disabled.
The vulnerability note also as a recommendation for
high-security applications:
“For high-security applications
such as critical infrastructure monitoring, Sierra Wireless advises customers
to deploy cellular devices using a Private Cellular Network or VPN to reduce
the risk of an attacker capturing data transferred to/from the device.”
The pages that I reported last week did not mention that the
device was discontinued now contain the following product status note: “Discontinued,
still supported”.
This new information provides customers with a little more
useable information than did the original advisory which essentially just said “Well
we’ve discontinued the defective device, its now your problem”.
WellinTech Advisory
This advisory
was originally released on the secure portal (on HSIN) last month and is now
being released to the public. The advisory describes twin vulnerabilities
affecting a variety of the WellinTech SCADA products. The vulnerability was
reported by Andrea Micalizzi via the Zero Day
Initiative (ZDI) in a coordinated disclosure. I was not able to find the
ZDI listing for this vulnerability.
The twin vulnerabilities are:
• Information disclosure vulnerability, CVE-2013-2826;
and
• ActiveX remote code execution vulnerability, CVE-2013-2827
NOTE: The CVE links are not yet
active.
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit these vulnerabilities to either obtain system
credentials or run arbitrary code in the dll. WellinTech has provided new
versions of the affected software that mitigate the vulnerabilities. There is
no mention of anyone verifying the efficacy of the new software versions in
fixing these vulnerabilities.
Posts
No comments:
Post a Comment