ICS-CERT Updates XZERES Advisory and Publishes 2 New Advisories

This afternoon the DHS ICS-CERT updated the XZERES advisory published earlier this week. It also published controls system advisories for products from Open Automation and Advantech.

XZERES Update

This update revises the description of the potential impact of the vulnerability. Originally it said that: “Successful exploitation of this vulnerability allows the ID to be retrieved from the browser and will allow the default ID to be changed.” Now it reads: “Successful exploitation of this vulnerability could allow the injection of malicious script.” That is a significant change in impact.

The description of the cross-site scripting vulnerability has also been changed. Originally it said: “The 442SR OS recognizes both the POST and GET methods for data input. By using the GET method, an attacker may retrieve the ID from the browser and will allow the default user ID to be changed. The default user has admin rights to the entire system.” It now reads: “The 442SR OS does not provide adequate input validation. This could allow malicious script to be injected into the program.” The CVSS v3 base score remains 9.8.

NOTE: This update is listed on the ICS-CERT landing page, but just because the original would still be there and the change was made to the original listing. I still recommend following @ICSCERT on TWITTER to get notified of these updates.

Open Automation Advisory

This advisory describes an uncontrolled search path element vulnerability in the Open Automation Software OPC Systems.NET application. The vulnerability was reported by Ivan Sanchez from Nullcode Team. ICS-CERT reports that Open Automation Software does not intend to patch the vulnerability at this time.

ICS-CERT reports that a social engineering attack is required to exploit this DLL hijacking vulnerability. A successful exploit would give the attacker access at the same privilege level as the application.

ICS-CERT reports that: “Open Automation Software has passed the researcher information to its support team to assist customers in the event that they encounter this vulnerability.”

Advantech Advisory

This advisory describes three vulnerabilities in the Advantech EKI-132x platform devices. This was an uncoordinated disclosure made by Tod Beardsley of Rapid7. Advantech plans to release updated firmware to fix these vulnerabilities by the end of this month.

The three vulnerabilities are:

• OS command injection (Shellshock) - CVE-2014-6271;

• Improper restriction of operations within the bounds of a memory buffer (Heartbleed) - CVE-2014-0160; and

• Improper restriction of operations within the bounds of a memory buffer - CVE-2012-2152

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities using publicly available exploit code to execute arbitrary code, to obtain private keys, or to impersonate the authenticated user and perform a man-in-the-middle attack.

NOTE: This is the ‘missing’ advisory that I reported on last week. Interestingly there is no mention in the advisory of the apparent fact that these vulnerabilities worked their way back into the system as part of the update to fix an earlier vulnerability.