Today the DHS ICS-CERT published two control system security
advisories for products from Moxa and WECON. They also published the latest
edition of the ICS-CERT Monitor.
Moxa Advisory
This advisory
describes an authorization bypass advisory in the Moxa Device Server Web
Console. The vulnerability was reported by Maxim Rupp. Support for the device
ended in 2012, but Moxa has provided recommendations to mitigate this
vulnerability. There is no indication that Rupp has been provided an
opportunity to verify the efficacy fix.
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit this vulnerability to gain access to change settings and data
on the target device.
Moxa suggests disabling two ports and restricting access to
three others. They note that such restrictions could impact remote systems
administration.
WECON Advisory
This advisory
describes two buffer overflow vulnerabilities in the WECON LeviStudio software.
The vulnerabilities were reported by Rocco Calvi and Brian Gorenc via the Zero
Day Initiative. WECON has not (and apparently does not plan to) released a
product fix to address these vulnerabilities; CAVEAT EMPTOR.
The two vulnerabilities are:
• Heap-based buffer overflow - CVE-2016-4533;
and
• Stack-based buffer overflow - CVE-2016-5781
ICS-CERT has a new take on social engineering attacks, and I
quote:
“An attacker with low skill would
be able to exploit these vulnerabilities. Crafting a working exploit for these
vulnerabilities would not be difficult; however, social engineering is required
to convince the user to accept the malformed file or visit a malicious web
site. This decreases the likelihood of a successful exploit.”
May-June 2016 Monitor
The Monitor
covers ICS-CERT operations during May and June of this year. The lead-off
article on a specific incident takes an oblique look at the use of SHODAN for
identifying control system components facing the internet. Beyond pointing out
that some sort of internet facing device (presumably a control system
component?) was identified by ICS-CERT via SHODAN, the only information of note
is that devices identified with an ISP IP address cannot be directly identified
by ICS-CERT. They have to forward notification to the owner via the ISP. Good
to know that ISPs are protecting our privacy (at least in this instance).
We also see four pieces about ICSJWG meetings. The first is
a recap of an ICS-CERT presentation at the Spring meeting about “Viewing Your
Network through the Eyes of an Attacker”. There is also a listing of the other ICS-CERT
presentations at that meeting. Then there is a brief preview of the Fall
Meeting. The final item is a lengthy item about the Advanced Analytical Lab’s
presentation at the Spring Meeting.
This issue contains a little bit more information about the
system assessments that ICS-CERT does. It contains a brief article outlining
the top six weaknesses that ICS-CERT identified in their assessments in 2015.
Those weaknesses are:
(1) Boundary protection;
(2) Least functionality;
(3) Authenticator management;
(4) Identification and
authentication;
(5) Least privilege; and
(6) Allocation of resources
There are also two brief pieces on Protected Critical
Infrastructure Information (PCII). The first is a short article on what
facilities need to do to claim PCII protections for information that they
submit to ICS-CERT. While the overview is pretty good, there is a lack of
detail on what exactly must be in the Express Statement and in the
Certification Statement. Those details are
available on the PCI
web site.
On the whole, this issue of the Monitor is well worth
reading.
Posts
No comments:
Post a Comment