Today the DHS ICS-CERT published advisories for vulnerabilities
in Honeywell’s Experion Process Knowledge System and Innominate mGuard and
updated previously issued advisories for Siemens and Emerson control systems.
Emmerson Update
This update
clarifies information that was published in an update two weeks ago. The
earlier update added a new vulnerability to the advisory and the wording
implied that the previously issued update mitigated that vulnerability as well.
There was an interesting twitversation
about this wording and it appears that someone may have been listening (a good
thing).
ICS-CERT now clarifies that the patch mitigates all but the
recently added authentication bypass vulnerability. That vulnerability is what requires
the use of the third-party secure router for mitigation. There is also some
interesting changes in the wording about the use of that router. Originally
ICS-CERT reported that:
“Emerson asserts that by adding the
EDR810 between the host and the field device it is virtually impossible for an
attacker to eavesdrop on communications or falsify commands.”
The new wording is a bit less bombastic and limited in the
claims:
“At this time, Emerson recommends
that concerned asset owners install the EDR 810 between the host and the field
device to mitigate this vulnerability.”
I suspect that someone’s lawyer got involved.
Siemens Update
Innominate Advisory
This advisory
describes a self-reported privilege escalation vulnerability in the Innominate
mGuard devices. They have produced a firmware patch that reportedly mitigates
the vulnerability.
ICS-CERT reports that a moderately skilled attacker who has admin
privileges on the system could remotely exploit this vulnerability to increase
those to root privileges to execute arbitrary commands. Innominate
reports that in most installations the personnel with admin and root
privileges are the same so that this vulnerability would have no effect in
those cases.
BTW: Innominate also
reported that there is a denial of service vulnerability found in a
slightly different set of mGuard devices because of the way they use OpenVPN
connection to
tunnel IPSec packets. I wonder why ICS-CERT didn’t publish
an advisory for this vulnerability since it was also published yesterday by
Innominate.
Honeywell Advisory
This advisory
describes five vulnerabilities in the Honeywell Experion Process
Knowledge System (EPKS) application. The vulnerabilities were reported by Alexander Tlyapov, Gleb Gritsai, Kirill
Nesterov, Artem Chaykin and Ilya Karpov of the Positive Technologies Research
Team and Security Lab. ICS-CERT reports that Honeywell have developed patch
updates for the affected products, but does not say that the researchers have
validated the efficacy of the patches.
The five vulnerabilities include:
• Heap-based buffer overflow - CVE-2014-9187;
• Stack-based buffer overflow - CVE-2014-9189;
• Arbitrary memory write - CVE-2014-5435;
• Directory transversal - CVE-2014-5436;
and
• File inclusion - CVE-2014-9186
ICS-CERT reports that a moderately skilled attacker could
remotely exploit these vulnerabilities to effect remote code execution or
potential information disclosure. I can find no information on the public Honeywell
web site about these vulnerabilities.
Posts
No comments:
Post a Comment