ICS-CERT Updates DNP3 Master and Issues HeartBleed Alert

Today the DHS ICS-CERT published an update of their master DNP3 advisory covering multiple Crain-Sistrunk based advisories and it published an alert concerning the ICS implications of HeartBleed.

DNP3 Master Advisory

Back in October ICS-CERT took the unusual step of providing a single advisory that tied together all of the previous DNP3 advisories that were based upon the Crain-Sistrunk fuzzing. They then had to update that advisory in November when even more vulnerable systems were added. Today they issued their second (and probably not last) update covering the seven additional advisories that have been issued since November. The current public list of vulnerable systems is (vendors in RED are new adds):

• ICSA-13-282-01A, Alstrom;

• ICSA-13-297-01, Catapult Software;

• ICSA-13-346-01, Cooper Power Systems;

• ICSA-13-346-02, Cooper Power Systems/Cybectec;

• ICSA-13-337-01, Elecsys;

• ICSA-13-297-02, GE;

• ICSA-13-161-01, IOServer;

• ICSA-13-213-03, IOServer;

• ICSA-13-226-01, Kepware Technologies;

• ICSA-13-213-04A, MatrikonOPC;

• ICSA-13-352-01, NovaTech;

• ICSA-14-098-01, OSISoft;

• ICSA-14-006-01, Schneider Electric;

• ICSA-14-014-01, Schneider Electric;

• ICSA-13-219-01, Schweitzer Engineering Laboratories;

• ICSA-13-234-02, Software Toolbox;

• ICSA-13-252-01, SUBNET Solutions; and

• ICSA-13-240-01, Triangle MicroWorks.

As I mentioned yesterday, there are still eleven un-named vendors with pending Crain-Sistrunk vulnerabilities working their way through the system.

HeartBleed Alert

This is an alert based upon the US-CERT advisory that I reported on yesterday. ICS-CERT issued it. IT SAYS NOTHING ABOUT CONTROL SYSTEMS. And, most disturbingly, it provides the following useless mitigation information:

“If remote access is required, employ secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.”

Didn’t anybody at ICS-CERT read this???????