ICS-CERT Publishes 3 Advisories and Malware Trends Paper

Today the DHS ICS-CERT published three new control system security advisories and an in-house paper on malware trends. The three new advisories are for control system products from Schneider and IBHsoftec. One of the Schneider advisories addresses a vulnerability I discussed on Saturday. Neither of the Schneider advisories listed here are the ones referenced in a TWEET® from Critifence that I retweeted this morning.

Schneider Unity Pro Advisory

This advisory describes an insufficient control flow management vulnerability in the Schneider Electric Unity PRO Software product. The vulnerability was reported by Avihay Kain and Mille Gandelsman of Indegy. Schneider produced a new version of the software that mitigates the vulnerability. There is no indication that the Indegy researchers have been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that while this vulnerability could be exploited remotely, since a two-stage social engineering attack would be required to exploit the vulnerability, developing a working exploit would be difficult. The Schneider Security Notification implies that direct loading of the corrupted file by the attacker could be possible “when the application program loaded in the simulator is not password protected”.

IHBsoftec Advisory

This advisory describes a buffer overflow vulnerability in the IBHsoftec S7-SoftPLC. The vulnerability was reported by Ariele Caltabiano (kimiya) through ZDI. IHBsoftec has produced a new version to mitigate the vulnerability. There is no indication that kimiya has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that relatively unskilled attacker could remotely exploit the vulnerability to “be able to affect integrity, confidentiality, and availability of the target device”.

Schneider ConneXium Advisory

This advisory describes a buffer overflow vulnerability in the Schneider Electric ConneXium firewall product. The vulnerability was reported by Nir Giller. According to ICS-CERT,Schneider is developing a firmware update, but the Schneider Security Notification (not listed in the ICS-CERT advisory) indicates that an update is currently available through “your local Schneider Electric representative”.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to execute code during the SNMP (Simple Network Management Protocol) login authentication process.

The Schneider document also provides workaround information for the vulnerability.

Malware Trends

This white paper was produced by the ICS-CERT Advanced Analytic Laboratory (AAL). It is a 24-page review of the current state of malware. Once again ICS-CERT has produced a nice review document suitable for updating non-technical management on cybersecurity issues. It covers the following topics:

• Attacker tactic changes;

• Malware evolution;

• Persistence methods;

• Infection vectors;

• Defensive tactics; and

• Platform challenges

Unfortunately, like most recent ICS-CERT technical documents, it is very light on data specific to the control system (ICS) security community. It is not until page 17 where we see the first specific ICS discussion in a subsection of the platform challenges discussion. Even that discussion is very brief and very light on the details. For example, half of the discussion about Black Energy consists of the following paragraph:

“BlackEnergy is an interesting case of malware that has undergone a dramatic change in its design and target depending on the groups that use it. Initially, BlackEnergy was a DDoS bot primarily used by the Russian hacker underground to take down sites. Support for plugins was added in the next major revision (BlackEnergy2), changing the exclusively DDoS box into a powerful multi-tool. Years later, researchers discovered that threat actors utilized zero-day exploits and spear phishing, combined with BlackEnergy 2 and specially-tailored plugins, to target and compromise ICS networks.”

This is a good overview document that I would have been proud to have authored. The technical skills and experience of the AAL deserve a much better showcase.