Today the DHS ICS-CERT published four advisories for
vulnerabilities in industrial control systems. The included vulnerabilities
from InduSoft, Festo, Siemens and Certec. Only one advisory deals with
HeartBleed. The advisory of note shows that ICS-CERT can get upset with vendor
inaction.
InduSoft Advisory
This advisory
describes a path traversal vulnerability in the InduSoft Web Studio
application. It was reported by John Leitch in a coordinated disclosure through
the Zero Day Initiative (ZDI).
This advisory was originally released on the US-CERT secure portal on April 17th.
A patch is available, but there is no indication that its efficacy has been
evaluated by the researcher.
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit this vulnerability to gain further access that would
allow arbitrary code execution.
Festo Advisory
This advisory describes
multiple vulnerabilities in the Festo PLC. The vulnerabilities were reported by
Reid Wightman of IOActive in a coordinated disclosure. ICS-CERT reports that
Festo has opted to not address these vulnerabilities. The vulnerabilities
include:
• Improper authentication (FTP
Backdoor), CVE-2014-0760;
• Improper authentication (two unauthenticated
ports), CVE-2014-0769;
• Improper access controls (using
outdated CoDeSys runtime module), CVE-2012-6068;
and
• Directory traversal (same
outdated CoDeSys module), CVE-2012-6069
ICS-CERT reports that a relatively low skilled attacker
could use publicly available code to remotely exploit these vulnerabilities.
I want to commend ICS-CERT for getting angry in one of their
advisories, this is a situation that certainly appears to deserve an
adversarial response. I think the best statement from ICS-CERT can be found in
the Overview section of the Advisory:
“This advisory is being published
to alert critical infrastructure asset owners of the risk of using this
equipment [emphasis added] and for them to increase compensating
measures if possible.”
I read Reid’s TWEET®
about this advisory earlier today and was kind of surprised at his reaction. I
am not surprised now. Again, kudos to ICS-CERT for reacting to this callous
disregard for customer security. It will be interesting to see if there is a
change in attitude Esslingen am Neckar, FRG.
Siemens Advisory
This advisory
addresses two vulnerabilities in the Siemens SIMATIC S7-1200 PLC family. This
is a mix of self-reported and researcher reported vulnerabilities. The
researchers from OpenSource Training are Ralf Spenneberg, Hendrik Schwartke,
and Maik Brüggeman. Siemens
reports that they have produced a new version that mitigates the
vulnerabilities though there is no indication that the researchers have
validated the efficacy of the fix. The vulnerabilities include:
• Cross site scripting, CVE-2014-2908;
and
• Improper neutralization of CRLF
sequences, CVE-2014-2909
ICS-CERT reports that it would take a skilled attacker with
physical access gaining the assistance of an authorized user to exploit these
vulnerabilities. A successful exploit could result in a DoS attack.
Certec Advisory
This advisory is
the one that was foretold in yesterday’s blog post about ICS-CERT HeartBleed
publications. The Certec atvise SCADA product is susceptible to the HeartBleed
bug. An update that includes a newer version of the OpenSSL software has been
made available.
Posts
No comments:
Post a Comment