Thursday, August 13, 2015

ICS-CERT Publishes one Advisory and Two Alerts

This afternoon the DHS ICS-CERT published an OIsoft advisory for 56 vulnerabilities in one product and alerts on two different Rockwell products. ICS-CERT did not name researchers on Rockwell alerts so we cannot tell if these are DefCon related. The OIsoft vulnerabilities are all self-reported.

OSIsoft Advisory

This advisory almost describes the most serious of 56 vulnerabilities in the OSIsoft PI System software. The categories are listed for the top 25 vulnerabilities based upon risk; they are:

CWE-20: Improper Input Validation (6 issues),
CWE-250: Execution with Unnecessary Privileges (3 issues),
CWE-200: Information Exposure (1 issue),
CWE-476: NULL Pointer Dereference / Denial of Service (13 issues), and
CWE-384: Session Management (2 issues).

OSIsoft has produced a new version of Data Archive that mitigates these vulnerabilities.

Rockwell Alert 1

This alert describes a cross-site scripting vulnerability in Rockwell Automation’s 1769-L18ER/A LOGIX5318ER web interface. A proof-of-concept exploit has been publicly released. ICS-CERT is coordinating with Rockwell.

Rockwell Alert 2

This alert describes a remote file inclusion vulnerability in Rockwell Automation’s 1766-L32BWAA/1766-L32BXBA web interfaces. A proof-of-concept exploit has been publicly released. ICS-CERT is coordinating with Rockwell.


How long has OSIsoft known about some of these vulnerabilities. Probably a relatively long time. Luckily for them (we hope) no researcher found these vulnerabilities first. Just think of how many BH/DC presentations were missed because no one was looking.

Rhetorical question to think about: Was OSIsoft marketing behind the notification of ICS-CERT about these vulnerabilities? Great way to get folks to upgrade but might warn off new customers. I guess it could go either way.

Yesterday’s alerts clearly identified researcher who notified ICS-CERT days before public release. Today’s alert without apparent ICS-CERT notification did not get attribution. Is that the way ICS-CERT plans on handling this touchy issue in the future? If so, researchers take note. Drop ICS-CERT a line just before you go public.

No comments:

/* Use this with templates/template-twocol.html */