Today the DHS ICS-CERT published three new advisories for
control systems from Hospira, Ecava and Inductive Automation and an update for
a recently released advisory for Schneider Electric.
Schneider Update
This update
is for the Schneider advisory
released last week for the InduSoft WebStudio and InTouch Machine applications.
The update provides a
link to additional information about the vulnerabilities, but it is only available
to registered Wonderware customers, external partners or distributors.
Hospira Advisory
This advisory
describes multiple vulnerabilities in the Hospira MedNet server software. The
vulnerabilities were reported by Billy Rios. Hospira has produced a new version
of the software and provided additional mitigation measures, but there is no
indication that Billy has been given the opportunity to verify the efficacy of
the fix.
The four vulnerabilities are:
∙ Password in configuration file - CVE-2014-5400;
∙ Improper control of generation
code - CVE-2014-5401;
∙ Hard-coded cryptographic key - CVE-2014-5403;
and
∙ Hard-coded password - CVE-2014-5405
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit three of the vulnerabilities; the pass in configuration
file vulnerability is locally exploitable.
ICS-CERT explains that the new version of the MedNet server
software addresses three of the vulnerabilities. The fourth vulnerability (improper
control of generation of code) is found in “the vulnerable version of JBoss
Enterprise Application Platform [link added] software, used in the MedNet
software”. There is no indication which version of the EAP software is
involved. MedNet has issued two reports (Improving Security in Hospira MedNet
5.5 and 5.8) discussing mitigation methods for this vulnerability. They are
reportedly available from MedNet technical support.
NOTE: It goes without saying that vendors that use JBoss EAP
should contact RedHat for details about this vulnerability. It will be interesting
to see how long it is before this shows up in other ICS application advisories.
Ecava Advisory
This advisory
describes a DLL loading vulnerability on the Ecava IntegraXor SCADA
Server. The vulnerability was reported by Praveen Darshanam. Ecava has produced
a patch that mitigates the vulnerability and Darshanam has verified the
efficacy of the patch.
ICS-CERT reports
that a social engineering attack is required to get an authorized user to load
a compromised DLL. A successful attack could result in the ability to run
malicious code at the authorization level of the DLL.
Inductive Automation Advisory
This advisory
describes multiple vulnerabilities in the Inductive Automation Ignition
software (HMI/SCADA). The vulnerabilities were reported by Evgeny Druzhinin,
Alexey Osipov, Ilya Karpov, and Gleb Gritsai of Positive Technologies.
Inductive Automation has produced a patch that mitigates the vulnerability but
there is no indication that the researchers have been given an opportunity to
verify the efficacy of the fix.
The six
vulnerabilities are:
∙ Cross-site scripting - CVE-2015-0976;
∙ Information exposure through error message - CVE-2015-0991;
∙ Insecure storage of sensitive information - CVE-2015-0992;
∙ Insufficient session expiration - CVE-2015-0993;
∙ Credentials management - CVE-2015-0994; and
∙ Use of password hash with insufficient computational effort - CVE-2015-0995
ICS-CERT explains
that a relatively low skilled attacker can only locally exploit these
vulnerabilities, though they earlier report that the vulnerabilities are
remotely exploitable (which sounds more reasonable). The advisory does not
describe potential consequences, but it would seem that a successful exploit
should allow running of arbitrary code.