ICS-CERT Publishes 3 Advisories

This afternoon the DHS ICS-CERT published three control system security advisories. Two of them were for products from IniNet Solutions and the third was from 3S.

CODESYS Advisory

This advisory describes another null pointer exception vulnerability in a CODESYS product, this time the Gateway Server. The vulnerability was reported by Ashish Kamble of Qualys, Inc. 3S has produced a new version that mitigates the vulnerability and Kamble has validated the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to crash the server.

This is the same type vulnerability that was reported last week by ICS-CERT in the CODESYS Runtime Tool Kit.

IniNet Solutions SCADA Web Server Advisory

This advisory describes three vulnerabilities in the IniNet Solutions GmbH’s SCADA Web Server. The vulnerabilities were reported by Kirill Nesterov and Aleksandr Timorin of Positive Technologies. IniNet Solutions has produced a new version that mitigates these vulnerabilities, but there is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.

The three vulnerabilities are:

• Stack-based buffer overflow, CVE-2015-1001;

• Improper handling of URL encoding, CVE-2015-1002; and

• Path traversal; CVE-2015-1003

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to manipulate and delete files, execute arbitrary code, and initiate a denial of service condition.

ICS-CERT also reports that the affected web server is known to be used in a variety of Beckhoff Embedded PCs. Beckhoff is apparently not accepting any responsibility for the vulnerable application.

IniNet Solution embeddedWebServer Advisory

This advisory describes a password cleartext storage vulnerability in the IniNet Solution eWebServer. The vulnerability was reported by Aleksandr Timorin of Positive Technologies. IniNet Solutions has produced a new version that mitigates the vulnerability, but there is no indication that Timorin was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker with local access could exploit this vulnerability to obtain logon information.

ICS-CERT also reports that the affected web server is known to be used in a variety of Baumüller PCs and Beckhoff Embedded PCs. Baumüller does not plan on updating their affected PCs because they are being retired in December. Beckhoff is apparently not accepting any responsibility for the vulnerable application.