Yesterday the DHS ICS-CERT published two ‘new’
advisories that had been previously published on the US-CERT Secure Portal; one
for a GE application and one for an application from Arbiter Systems.
GE
Advisory
This advisory
describes a memory access violation vulnerability in the GE CIMPLICITY
CimView application. The vulnerability was reported by Said Arfi. GE has
produced an update that mitigates the vulnerability but there is no report of
Arfi verifying the efficacy of the update.
ICS-CERT reports that a moderately skilled attacker
could exploit this vulnerability to execute arbitrary code. While the advisory
states that this vulnerability could not be remotely exploited, it does note
that user interaction is required to exploit. That would seem to mean that a
specially crafted social engineering attack could cause a local user to upload
the .CIM file needed to exploit this
vulnerability.
This is the second GE advisory this week that has
been withheld from public view for almost 90 days after it was released on the
US-CERT Secure Portal. It is hard to understand why it would take that length
of time for GE systems owners to mitigate this vulnerability, especially since
the vulnerability is not supposed to be remotely exploitable.
Arbiter
Systems Advisory
This advisory
describes a GPS clock spoofing vulnerability. This vulnerability was apparently
self-reported. Arbiter Systems has developed a new product that does not have
the reported vulnerability.
ICS-CERT reports that while the vulnerability is remotely
exploitable the vendor believes that it would be difficult to craft a workable
exploit. They are so sure of this, in fact, that Arbiter Systems still intends
to sell the vulnerable system. ICS-CERT does explain that a successful exploit
could disrupt the clock.
What is not explained in the advisory is that
disrupting a clock in a SCADA system will interfere with the coordination of
the actions of physically separated components of that system. The potential
effects would be determined by what controls were mis-coordinated.
Posts
1 comment:
Typically, if time synchronization matters, there is more than one clock and there are more than one brand/type of clock.
Yes, SCADA systems do depend heavily on time, if for no other reason than so that they can record accurate sequences of events across multiple master stations.
However, the significance of a particular clock is always a matter for the end user to determine. It is not the job of ICS-CERT to explain this to the public.
Post a Comment