There has been an interesting Twittversation
about these vulnerabilities since I did my earlier post.
Carsten Eiram (@carsteneiram)
provided
a link to the original vulnerability
report that Risk Based Security published after Schneider apparently
published their original (though no longer available) advisory back in
March of last year. While that report is not exactly ‘exploit code’ it
certainly contains enough information that a reasonably competent hacker should
be able to write their own.
Adam Crain (@jadamcrain;
of DNP3 Fuzzing Fame) asked: “Any
idea what took @ICS-CERT so long on this one?” This is certainly a good
question since it has now been over a year since Schneider first publicly
reported the vulnerability.
The delay is almost certainly related to the fact that
Schneider is fixing the problem system by system. While the problem is
reportedly in the common ModbusDriverSuite, the implementation of that suite in
each of the eleven products is likely slightly different. According to the most
recent Schneider
advisory (dated September 13th, 2013) they don’t intend to issue
product updates just for this vulnerability; the fix will be included in the
next product update.
I suspect that either ICS-CERT finally got fed up with the
slow pace of updates or they received some recent communication from Schneider
that indicated that Schneider had effectively decided not to fix the other
eight products. Either would certainly explain the following comment in
yesterday’s ICS-CERT Advisory:
“Schneider Electric has no immediate
plan [emphasis added] for updating the other identified software
products.”
In any case, Schneider has left customers owning the below
listed software in an unenviable position. Their control system has a publicly
identified security vulnerability that there is only a network limitation fix
available; a fix that individual customers may or may not be in a situation to
be able to put into place.
• TwidoSuite Versions 2.31.04 and
earlier (available next month?);
• PowerSuite Versions 2.6 and
earlier;
• SoMove Versions 1.7 and earlier;
• SoMachine Versions 2.0, 3.0, 3.1,
and 3.0 XS;
• UnityLoader Versions 2.3 and
earlier;
• Concept Versions 2.6 SR7 and
earlier;
• ModbusCommDTM sl Versions 2.1.2
and earlier;
• PL7 Versions 4.5 SP5 and earlier
and
• SFT2841 Versions 14, 13.1 and
earlier.
Maybe this push by ICS-CERT will speed up the process. Or
maybe enough complaints from customers will provide the necessary impetus.
Finally regulators that have cyber security controls available may want to
ensure that folks with these systems are taking special precautions.
Posts
No comments:
Post a Comment