ICS-CERT Publishes 3 Advisories

This morning the DHS ICS-CERT published three advisories for control system components from Rockwell, Eaton Lighting Systems and Pro-Face. Two of the three advisories had previously been released on the US CERT Secure Portal.

Rockwell Advisory

This advisory describes an access violation memory error in the Rockwell Automation Integrated Architecture Builder (IAB) application. The vulnerability was reported by Ivan Sanchez from Nullcode Team. Rockwell has produced a software update to mitigate the vulnerability, but there is no indication that Sanchez has been afforded the opportunity to verify the efficacy of the fix.

ICS-CERT reports that a social engineering attack is required to get an authorized user to load to introduce or change project files and then access the malformed file. ICS-CERT does not count such social engineering attacks as being remotely executable.

The advisory includes a number of additional mitigation measures that Rockwell recommends that owners implement when using the IAB application.

Eaton Lighting Systems Advisory

This advisory describes twin vulnerabilities in the Eaton Lighting Systems EG2 Web Control application. The vulnerabilities were reported by Maxim Rupp. Eaton has produced a firmware patch to mitigate the vulnerability, but there is no indication that Rupp has been provided an opportunity to verify the efficacy of the fix.

The two vulnerabilities were:

• Reliance on cookies without validation and integrity checking - CVE-2016-2272; and

• Cleartext storage of sensitive information - CVE-2016-0871

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to configure the system.

ICS-CERT reports that though a firmware patch has been made available, that Eaton will be moving this product to end of life later this year and recommends that owners upgrade to the new system. It is nice to see that the patch was developed anyway.

Pro-face Advisory

This advisory describes four vulnerabilities in the Pro-face GP-Pro EX HMI software. The vulnerabilities were reported by ZDI (the first three) and Jeremy Brown. Pro-face has produced an update module to mitigate the vulnerabilities, but there is no indication that the researchers were afforded to the opportunity to verify the efficacy of the fix.

The vulnerabilities include:

• Heap-based buffer overflow - CVE-2015-2290;

• Out-of-bounds read - CVE-2015-2291;

• Stack-based buffer overflow - CVE-2015-2292; and

• Use of hard-coded credentials - CVE-2015-7921

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerabilities to execute arbitrary code.

It is odd that a Schneider Electric company would not publish a security advisory for four vulnerabilities, two of which are fairly serious.