ICS-CERT Publishes Two New Advisories

Today the DHS ICS-CERT published two control system cybersecurity advisories for multiple vulnerabilities in the CG Automation  Substation Gateway and the Schneider Electric Wonderware Information Server.

Wonderware Advisory

This advisory reports on five vulnerabilities reported by Timur Yunusov, Ilya Karpov, Sergey Gordeychik, Alexey Osipov, and Dmitry Serebryannikov of the Positive Technologies Research Team in a coordinated disclosure. ICS-CERT reports that Schneider has produced an update that mitigates these vulnerabilities but there is no indication that Positive Technologies Research has validated that update.

The five reported vulnerabilities are:

• Account encryption and storage - CVE-2014-2381 and CVE-2014-2380;

• Cross site scripting - CVE-2014-5397;

• Improper input validation - CVE-2014-5398; and

• SQL Injections - CVE-2014-5399

ICS-CERT reports that crafting an exploit of these vulnerabilities ‘would be difficult’.

Looking at the CVE numbers it looks like there may have been two different vulnerability reports by Positive Technologies Research separated by a significant amount of time.

CG Automation Advisory

This advisory is the latest Crain-Sistrunk disclosed DNP3 improper input validation vulnerability. This should be the 22^nd system report published by ICS-CERT of the reported 30 Crain-Sistrunk DNP3 reports submitted to date, according to the Automatak Robus web site.  CG  Automation has provided an update. ICS-CERT specifically reports that CG Automation has self-validated the efficacy of the fix, not Crain-Sistrunk; something smells there.

Follow-up NOTE (08-27-14 07:46 CDT): Adam reports that he and Chris no longer have access to CG Automation hardware to do the validation testing. So nothing nefarious, but it would have been appropriate (IMHO) for CG Automation to offer access for validation testing.