ICS-CERT Publishes 4 New Advisories

This morning the DHS ICS-CERT published four new control system security advisories for products from SMA Solar Technology, Moxa, Schneider Electric, and Cogent.

SMA Advisory

This advisory describes a hard-coded account vulnerability in the SMA Solar Technology Sunny WebBox product. The vulnerability was originally reported by Aleksandr Timorin of PT Security. SMA does not plan of fixing this vulnerability as the product will soon be discontinued. They have provided some mitigation measures but there is no indication that Timorin has been provided the opportunity to verify the efficacy of the fix. This advisory was originally released on the US CERT Secure Portal on June 30^th, 2015.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to gain complete access to the system.

ICS-CERT reports that SMA “recommends using port-forwarding or a VPN to access these devices remotely”. ICS-CERT on the other hand recommends that owners remove and replace the system. The public portion of the SMA Solar Technology website contains no mention of this vulnerability.

It is disappointing to see any vendor stop providing security support for a product while it is still being sold even if it is an older system that is in the process of being phased out. Control system products are expected to have a longer useful life than a sales life. Failing to support such systems beyond sales is short sighted and provides a clear indication (IMHO) of a lack of customer focus on the part of the organization. CAVEAT EMPTOR!

Moxa Advisory

This advisory describes three separate vulnerabilities found in the Moxa EDS-405A/EDS-408A series managed Ethernet switches. The vulnerabilities were originally reported by Erwin Paternotte of Applied Risk. Moxa has produced a firmware update to mitigate the vulnerabilities but there is no indication that Paternotte has been given the opportunity to verify the efficacy of the fix.

The three vulnerabilities are:

∙ Improper privilege management, CVE-2015-6464;

∙ Resource exhaustion, CVE-2015-6465; and

∙ Cross-site scripting, CVE-2015-6466

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to elevate access privileges, execute a denial of service attack or inject JavaScript code.

The Moxa firmware release notes for the EDS-405A series does not list the cross-site scripting vulnerability among the fixes, but the release note for the EDS-408A series does. The other two vulnerabilities are listed in both release notes.

NOTE: There is an error in the click-through link to the Moxa update site in the ICS-CERT advisory, but the printed link does work.

Schneider Advisory

This advisory is a follow-up to the ICS-CERT alert published on August 12^th. The advisory describes two vulnerabilities on a number of PLC products that were disclosed (with proof of concept exploit code) at DefCon by Aditya K. Sood. ICS-CERT notes that the vulnerabilities had been previously disclosed to Schneider by Juan Francisco Bolivar. Schneider has released a firmware patch to mitigate the vulnerabilities, but there is no indication that either researcher has been provided and opportunity to verify the efficacy of the fixes.

ICS-CERT notes that it would be difficult to craft “a working exploit for these vulnerabilities” even though proof of concept exploit code is publicly available. This reflects the continuing opinion by ICS-CERT that crafting a social engineering attack is difficult. This does not appear (IMHO) to reflect recent history where even security conscious organizations have been successfully attacked by social engineering exploits.

The Schneider security notification also addresses the hard-coded credential vulnerability that was reported in the ICS-Alert (but was not mentioned in this advisory). The Schneider document notes that this vulnerability was previously addressed and provides a link to a recently updated security notification discussing the problem that was reported by Ruben Santamarta in 2011. That document continues to claim that the hard-coded credential is part of a deliberate design decision and Schneider is still considering whether or not it needs to be removed.

There is an interesting additional link to a Schneider document in the ICS-CERT mitigation section of the Advisory. It is a link to the Schneider report on the use of the TOFINO Firewall as a mitigation measure for PLC vulnerabilities. This is a very detailed (55 page) description of how to use this device.

Cogent Advisory

This advisory describes a code injection vulnerability in the Cogent DataHub application. The vulnerability was originally reported by an anonymous researcher via the HP Zero Day Initiative. Cogent has produced a new version that mitigates the vulnerability, but there is no indication that the researcher has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to turn on an insecure processing mode in the web server.