While everyone is still talking about Black Energy the DHS
ICS-CERT released three advisories today concerning lesser vulnerabilities in
three applications used in control systems communications. One was a follow up
to an alert issued last Halloween, while the other two are newer
vulnerabilities that were released earlier this month on the US-CERT secure
portal.
Nordex Advisory
Last Halloween ICS-CERT published
an alert about an uncoordinated disclosure (complete with exploit) of a
cross-site scripting vulnerability in the Nordex Control 2 (NC2) application.
Today ICS-CERT announced
that Nordex has (I think) produced a patch to mitigate the vulnerability;
needless to say no one has contacted the uncooperative researcher, Darius
Freamon, to verify its efficacy.
ICS-CERT reports that a relatively low skilled attacker
could use the publicly available exploit to remotely “execute arbitrary script
code in the user’s browser”.
I said ‘I think’ parenthetically above because of the
wording of the following sentence in today’s advisory:
“Nordex will release a patch for
all affected NC2-SCADA versions until the end of 2014.”
I think that that means that the patch is available but
Nordex will only be applying the patches through the end of the year. The
Advisory notes that the patching of the wind turbine control system has to be
done by Nordex. A year to wait for the vendor to fix a cross-site scripting
error and then have to wait until they can get around to your site to apply the
fix; I hope Nordex is including all of this in their sales material.
Meinberg Advisory
This advisory
reports another cross-site scripting vulnerability, this time in Meinberg Radio
Clocks GmbH & Co. KG LANTIME M400 web interface. This was originally
reported by Aivar Liimets of Martem Telecontrol Systems in a coordinated
disclosure. ICS-CERT reports that Meinberg has produced a firmware update that
has been verified by Liimets. This advisory was originally released on the US-CERT
secure portal on October 2nd.
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit this vulnerability to “cause the time server to provide
misinformation to devices”.
Accuenergy Advisory
This advisory
reports two authentication vulnerabilities in the AXN-NET Ethernet module from
Accuenergy. The vulnerabilities were reported by Laisvis Lingvevicius in a
coordinated disclosure. According to ICS-CERT Accuenergy has produced a
firmware update that has been validated by Lingvevicius. This advisory was also
released on the US-CERT secure portal on October 2nd.
The two vulnerabilities are:
• Authentication bypass
vulnerability, CVE-2014-2373; and
• Password disclosure vulnerability,
CVE-2014-2374
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit these vulnerabilities to change network settings for the
AXM-NET module web server as part of a denial of service attack.
Interestingly, the Accuenergy web
site offers the following information about the firmware update:
“Redesign and improve encryption
method on web-server, tested and verified by Department of Homeland Security,
industrial control system cyber emergency response team [sic]”.
In light of discussions about what ICS-CERT really does (see
most
recently Dale Peterson’s blog post “What Does ICS-CERT Do?”) it is nice to
see positive signs of actual involvement in the process of fixing
vulnerabilities. Of course there are lots of businesses out there that are
trying to make payroll by doing the same sort of thing.
Of course Accuenergy could just be blowing smoke to try to
make their own efforts look good.