Today the DHS ICS-CERT published a new advisory
affecting 11 separate Schneider Electric products that use the serial MODBUS
driver. This advisory is based upon a stack-based buffer overflow vulnerability
reported by Carsten Eiram of Risk-Based Security in a coordinated disclosure. An
updated ModbusDriverSuite has been produced, but there is no indication whether
or not Carsten has had a chance to verify the efficacy of that mitigation.
ICS-CERT reports that a highly skilled attacker could
remotely exploit this vulnerability to execute arbitrary code.
The ICS-CERT advisory gives conflicting information about
the mitigation efforts undertaken by Schneider. In one paragraph it states that
the latest versions of OFS and UnityPro have been released with an updated
ModbusDriverSuite and other affected systems will have that suite in their next
update. The next paragraph then states that: “Schneider Electric has no
immediate plan for updating the other identified software products.”
The advisory
from Schneider (originally released September 13th, 2013)
states:
“The ModbusDriverSuite for
TwidoSuite will be available in April of 2014. Until the ModbusDriverSuite
becomes available for TwidoSuite, Schneider Electric recommends using a
firewall to allow only authorized systems to access TwidoSuite. OFS V3.5 and
Unity Pro V8 have been released including the updated ModbusDriverSuite. For
other products listed, the updated ModbusDriverSuite will be implemented with
each new version of those Software Products.”
The Schneider produced advisory has some changes recorded in
it. It appears that initially at least that they believed that the
vulnerability could only be exploited via local access. They also apparently
initially underestimated the degree of risk associated with this vulnerability;
they updated the CVSS Base Score from 6.9 to 9.3 (the same value that ICS-CERT
is reporting). There is no indication when these two visible changes were made
to their advisory.
Posts
No comments:
Post a Comment