It was a busy day for ICS-CERT today with four new
advisories, an almost three month old advisory being publicly published and one
update of an advisory that was published yesterday. Did anyone mention that
S4x15 started today?
GE
DNP3 Advisory
Let’s get the old advisory out of the way first. This advisory
was originally published back on October 14th on the US-CERT Secure
Portal. It describes a Crain-Sistrunk improper input validation vulnerability
in the DNP3 implementation used by GE iFix and Cimplicity products. The implementation
was produced by Catapult Software who developed a patch that mitigates the vulnerability
and GE has verified the efficacy of the patch. It does not appear that
Crain-Sistrunk have verified the efficacy.
ICS-CERT reports that a relatively unskilled
attacker could remotely exploit this vulnerability to effect a DOS attack.
According to the Project Robus web site it now looks
like 29 of the 30 DNP3 vulnerabilities reported by Crain-Sistrunk have now been
publicly disclosed by ICS-CERT.
NOTE: There is no reason given for the unusually
long delay between the US-CERT publication and the ICS-CERT public
notification.
GE
Multilink Advisory
This advisory
describes two vulnerabilities that effect the GE Multilink line of switches.
The vulnerabilities were found by Eireann Leverett of IOActive in one of the
Multilink switch lines and GE notified ICS-CERT that other lines were affected
as well. A firmware upgrade is available.
The two reported vulnerabilities are:
● Resource consumption
vulnerability - CVE-2014-5418; and
● Hard-coded key - CVE-2014-5419
ICS-CERT reports that a relatively low skilled
attacker could remotely exploit these vulnerabilities to conduct a DOS attack
or decrypt traffic. ICS-CERT reports that there is no public exploits for these
specific vulnerabilities while GE
restricts that claim specifically only to the ML800 switches.
Phoenix
Contact Software Advisory
This advisory
describes an authentication vulnerability in applications developed by Phoenix
Contact Software. These applications are used by undisclosed vendors to run
process control and manage IEC 61131 logic. The vulnerabilities were originally
reported by Reid Wightman of Digital Bond. Phoenix Contact Software is
considering developing a fix for these vulnerabilities.
ICS-CERT reports that a relatively unskilled
attacker could remotely exploit this vulnerability to inject arbitrary commands
into the protocol.
The end use product may or may not contain
mitigation measures to protect against this vulnerability.
GOOD LUCK. Caveat emptor.
Clorius
Controls Advisory
This advisory
describes an insecure Java client web authentication vulnerability in the
Clorius Controls A/S ISC SCADA server. The vulnerability was originally
reported by Aditya Sood who has validated the efficacy of the
update that has been made available.
ICS-CERT reports that a relatively low skilled
attacker could remotely exploit this vulnerability to gain complete access to
the server.
Siemens
Advisory
I noted the
Siemens release of their advisory about this vulnerability this morning on
Twitter and am now happy to report the ICS-CERT prompt release of their advisory.
It describes three separate authentication vulnerabilities in the WinCC Sm@rtClient
iOS Application. The vulnerabilities were originally reported by Kim Schlyter,
Seyton Bradford, and Richard Warren from FortConsult. Siemens has produced an
update to mitigate the vulnerability, but there is no report that the
researchers have validated its efficacy.
The vulnerabilities include:
● Insufficiently
protected credentials - CVE-2014-5231 and CVE-2014-5233; and
● Improper authentication
- CVE-2014-5232
ICS-CERT reports that a relatively low skilled
attacker with local access to the mobile device could exploit these vulnerabilities
to gain access to the application and then presumably (my guess, not mentioned
in the advisory) remotely access the control system with the full rights of the
mobile device owner.
CodeWrights
Advisory Update
Yesterday’s advisory was updated today to clarify
that while ABB is a customer of CodeWrights HART DTM library that they have not yet verified that
any of their systems are affected by the identified vulnerability. The update
provides a link to the ABB security advisory page where ABB will make the
notification if any systems are found to be vulnerable.
I think that it is probably safe to assume that
ICS-CERT has not yet verified that any other of the potentially affected
vendors listed actually have products with the vulnerabilities. They apparently
made the somewhat reasonable assumption that if these vendors (including ABB)
had bought the rights to use the vulnerable libraries that there products using
those libraries would be affected.
I guess we will just have to wait and see. I know
which way I would bet.
Posts
No comments:
Post a Comment