This afternoon the DHS ICS-CERT published advisories for
vulnerabilities in four different control systems. The vendors include:
Advantech, Siemens, WellinTech and OSISoft. All were coordinated disclosures.
Advantech Advisory
This advisory is
for multiple vulnerabilities in Advantech WebAcess product. The vulnerabilities
were coordinated through the ZDI initiative (still on the ‘Upcoming’ ZDI
page) by Andrea Micalizzi (aka rgod), Tom Gallagher, and an independent
anonymous researcher. ICS-CERT reports that Advantech has produced a new
version of the software that corrects the problem but does not say that anyone
had verified the efficacy of the update.
The vulnerabilities are:
• SQL injection, CVE-2014-0763;
• Stack based buffer overflow (5), CVE-2014-0764,
CVE-2014-0765,
CVE-2014-0766,
CVE-2014-0767,
CVE-2014-0768;
• Command injection, CVE-2014-0773
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit these vulnerabilities to execute arbitrary code or read
files stored on the target machine.
Siemens Advisory
This advisory is
for a Browser Exploit Against SSL/TLS (BEAST) vulnerability (Note: this is not
associated with the HeartBleed SSL/TLS bug) in the Ruggedcom Win product line.
The vulnerability was reported to Siemens ProductCERT by Dan Frein and Paul
Cotter of West Monroe Partners. Siemens has produced a firmware update that
resolves the incompatibility issue. The Siemens ProductCERT Advisory describes
additional mitigation techniques.
ICS-CERT reports that a moderately skilled attacker could
remotely exploit this vulnerability to access the session ID of the current
user. That could be used to read traffic exchanged between the user and the device.
WellinTech Advisory
This advisory
describes a stack-based buffer overflow vulnerability in the KingSCADA
application that was reported by an anonymous researcher through ZDI.
WellinTech has produced a patch that mitigates the vulnerability, though there
is nothing in the advisory that indicates that the mitigation has been
independently verified.
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit this vulnerability to execute arbitrary code.
According to the WellinTech web site, the patch was made
available on March 27th, 2014.
OSISoft Advisory
This advisory is a
Crain-Sistrunk reported vulnerability in the PI Interface for DNP3 and it the
typical improper input validation vulnerability in both the IP and serial
communication modes of the device.
ICS-CERT reports that while a moderately skilled attacker
could remotely exploit the IP vulnerability, that it would take a more skilled
attacker with physical access to exploit the serial interface vulnerability. As
I have said on previous occasions I disagree with the term ‘skilled attacker’
to describe the exploit requirements for plugging in a serial cable in an
unmanned facility.
It has been almost two months since the last Crain-Sistrunk vulnerability
was reported by ICS-CERT. According to the Project Robus web site, only 17 of
28 (it should now read 18 of 28) DNP3 vulnerable systems have been reported by
ICS-CERT. I asked Adam Crain about this in a Twitversation
today and he explained that most of the remaining vendors are not talking
to ICS-CERT.
Given their adamant stand on coordinated disclosures, it is
unlikely that Adam or Chris will out any of these vendors any time soon. So, if
you have an DNP3 system that has not yet been outed by ICS-CERT then you might
want to download the Crain-Sistrunk
fuzzer and check your system for yourself.
Posts
No comments:
Post a Comment