Friday, January 16, 2015

ICS-CERT Publishes 2 Advisories

Yesterday the DHS ICS-CERT published two ‘new’ advisories that had been previously published on the US-CERT Secure Portal; one for a GE application and one for an application from Arbiter Systems.

GE Advisory

This advisory describes a memory access violation vulnerability in the GE CIMPLICITY CimView application. The vulnerability was reported by Said Arfi. GE has produced an update that mitigates the vulnerability but there is no report of Arfi verifying the efficacy of the update.

ICS-CERT reports that a moderately skilled attacker could exploit this vulnerability to execute arbitrary code. While the advisory states that this vulnerability could not be remotely exploited, it does note that user interaction is required to exploit. That would seem to mean that a specially crafted social engineering attack could cause a local user to upload the .CIM file needed  to exploit this vulnerability.

This is the second GE advisory this week that has been withheld from public view for almost 90 days after it was released on the US-CERT Secure Portal. It is hard to understand why it would take that length of time for GE systems owners to mitigate this vulnerability, especially since the vulnerability is not supposed to be remotely exploitable.

Arbiter Systems Advisory

This advisory describes a GPS clock spoofing vulnerability. This vulnerability was apparently self-reported. Arbiter Systems has developed a new product that does not have the reported vulnerability.

ICS-CERT reports that while the vulnerability is remotely exploitable the vendor believes that it would be difficult to craft a workable exploit. They are so sure of this, in fact, that Arbiter Systems still intends to sell the vulnerable system. ICS-CERT does explain that a successful exploit could disrupt the clock.

What is not explained in the advisory is that disrupting a clock in a SCADA system will interfere with the coordination of the actions of physically separated components of that system. The potential effects would be determined by what controls were mis-coordinated.

1 comment:

Jake Brodsky said...

Typically, if time synchronization matters, there is more than one clock and there are more than one brand/type of clock.

Yes, SCADA systems do depend heavily on time, if for no other reason than so that they can record accurate sequences of events across multiple master stations.

However, the significance of a particular clock is always a matter for the end user to determine. It is not the job of ICS-CERT to explain this to the public.

/* Use this with templates/template-twocol.html */