Today the DHS ICS-CERT published an update to yesterday’s
alert about an automated road sign system and an advisory for a new
vulnerability in OpenSSL. Neither system is what comes to most people’s minds
when the term ‘industrial control system’ is mentioned. The first extends the
definition because apparently ICS-CERT doesn’t already have enough on its plate
and the second reminds us that secure communications is a key component of any secure
cyber-system.
Daktronics Alert
Update
Today’s update
brings new information about the scope of the vulnerability and an expansion of
the interim mitigation measures suggested by Daktronics and the Federal Highway
Administration, the organization that notified ICS-CERT of this particular
vulnerability.
According to Daktronics the ‘hard coded credential’ is
actual a default password that can (and obviously should be) changed when the
system is installed. I can understand why the FHA gets the two vulnerabilities
confused, after all (SARCASM WARNING) they are a well-known font of control
system security knowledge.
Then Update also includes three ‘device specific’ mitigation
measures to add to the standard ICS-CERT generic security measures. The new
mitigation suggestions are:
• Displays should not be on
publicly accessible IP addresses. Placing a display on a private network or VPN
helps mitigate the lack of security,
• Disable the telnet, webpage, and
web LCD interfaces when not needed, and
• Change the default password to a
strong password as soon as possible on all installed devices.
Nothing really new there; I hope that that is because
ICS-CERT is not spending valuable resources on this particular vulnerability.
OpenSSL Advisory
Remember how upset the control system security community was
with the initial ICS-CERT about the HeartBleed vulnerability because there was
so little actual control system information available in the initial
advisory. Well the folks at ICS-CERT did not learn the lesson, today’s
advisory about the multiple vulnerabilities recently corrected by OpenSSL
contains even less information. They don’t even list the vulnerabilities
involved.
According to the OpenSSL Security Advisory
the vulnerabilities include:
• SSL/TLS MITM vulnerability (CVE-2014-0224)[This
was the only vulnerability mentioned in the KB-CERT Advisory that I tweeted about
this morning];
• DTLS recursion flaw (CVE-2014-0221);
• DTLS invalid fragment
vulnerability (CVE-2014-0195);
• SSL_MODE_RELEASE_BUFFERS NULL
point dereference (CVE-2014-0198);
• SSL_MODE_RELEASE_BUFFERS session
injection or denial of service (CVE-2010-5298);
and
• Anonymous ECDH denial of service
(CVE-2014-3470)
In many ways we are in the same place we were when the
HeartBleed alert was first published, we don’t know what systems use the
vulnerable OpenSSL versions. ICS-CERT does point users at their HeartBleed
affected list with the following comment:
“NCCIC/ICS-CERT has produced an
OpenSSL affected/unaffected products list that specifies which vendors,
products, and product versions are affected by the OpenSSL HeartBleed
vulnerability. This document also contains a list of vendors, products, and
product versions that evaluated their products and have asserted that their
products are not affected by the OpenSSL HeartBleed vulnerability. Owners and
operators of control systems might use this list to determine whether their
equipment may also contain a version of OpenSSL that is affected by these newly
reported vulnerabilities. This document will be updated as needed.”
This is helpful for some versions of OpenSSL, but version 0.9.8
were not affected by HeartBleed, but will be affected by some of the
vulnerabilities listed above. So some of the vendors listed as clean for
HeartBleed may actually have problems with some of these vulnerabilities.
Of course, this is the type of information that we would
expect from ICS-CERT. Based upon the HeartBleed experience we can expect to see
this type information in version D or E of this advisory. But we are kept up to
date on Automated Road Sign vulnerabilities.
Posts
No comments:
Post a Comment