This afternoon the DHS ICS-CERT published a new control
system security for a Rexroth Bosch product and updated an advisory for a
Siemens product.
Rexroth Bosch Advisory
This advisory
describes two vulnerabilities in the Rexroth Bosch BLADEcontrol-WebVIS. The
vulnerabilities were reported by Maxim Rupp. Rexroth Bosch has produced a new
version. There is no indication that Rupp was provided an opportunity to verify
the efficacy of the fix.
The reported vulnerabilities are:
• SQL injection - CVE-2016-4507;
and
• Cross-site scripting - CVE-2016-4508
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit these vulnerabilities to compromise of the database server or
lead to remote code execution.
Siemens Update
This update
provides new information on a Siemens Advisory that was reported by ICS-CERT on
May 19th, 2016 for the Siemens SIPROTEC 4 and SIPROTEC Compact. The
update removes a previously reported version of SIPROTEC Compact (7SK80) from
the advisory. It also adds update information for another version of SIPROTEC Compact.
ICS Ransomware Issue
As I mentioned on
TWITTER on Saturday there is an interesting
article over on ISSSource.com about a report from Rockwell Automation about
a ransomware attack from a file being made available on the internet (no source
given) called ‘Allenbradleyupdate.zip’. Apparently this file is not on the
Rockwell web site and there is no information about any kind of social
engineering attack associated with the file.
A copy of the Industrial Security Advisory from Rockwell is
available here.
It is presumably available on the Rockwell Automation web site, but access to
that site is restricted to customers and Rockwell employees, so I cannot verify
that.
Rockwell learned about the file from the Electricity
Information Sharing and Analysis Center (E-ISAC). This is a good example of how
information sharing should work to get information back to responsible folks to
evaluate and spread the word. Unfortunately, it appears that the attempt by
Rockwell to share this information via ICS-CERT was rebuffed.
While no one would like to think that any responsible
control system engineer would apply an update to an industrial control system
that was obtained from anywhere but from a vendor web site, I think that we
have to admit that with a properly crafted social engineering attack it is
almost inevitable that someone would load this ransomware masquerading as and
ICS update. Spreading the word about this as widely as possible would certainly
be in the best interest of everyone (except the ransomware author, of course).
It is inconceivable to me that ICS-CERT would not use its information sharing
capabilities to spread the word.
It is just a matter of time before a ransomware attack like
this finds its way onto a hacked vendor or integrator web site. This is a good
time to begin a discussion about what vendors are doing to prevent such site
hacks and how vendors and users can ensure that only legitimate system updates are
applied to live systems. This is another good reason to first apply updates to
test systems before they are applied to real control systems.
Posts
No comments:
Post a Comment