ICS-CERT Publishes Three Advisories

Today the DHS ICS-CERT published three control system security advisories for products from Carlo Gavazzi, VideoInsight, and Advantech. ICS-CERT also published their latest ICS-CERT Monitor for November and December 2016. I am not going to review this publication any longer.

Carlo Gavazzi Advisory

This advisory describes three vulnerabilities in the Carlo Gavazzi VMU-C EM, VMU-C PV web servers. The vulnerabilities were reported by Karn Ganeshen. Carlo Gavazzi has produced a new firmware version that mitigates the vulnerability. ICS-CERT reports that Ganeshen has verified the efficacy of the fix.

The reported vulnerabilities are:

• Access control flaws - CVE-2017-5144;

• Cross-site request forgery - CVE-2017-5145; and

• Sensitive information stored in clear text - CVE-2017-5146

ICS-CERT is confused on the exploitability of these vulnerabilities. At the start of the advisory they report that the vulnerabilities are: “Remotely exploitable/low skill level to exploit.” But later in the body of the advisory it reports: “Not remotely exploitable. High skill level is needed to exploit.” I suspect that the first is correct and the second may be an artifact of the new format ICS-CERT is using to report advisories; more on that later.

VideoInsight Advisory

This advisory describes an SQL injection vulnerability in the VideoInsight Web Client. The vulnerability was reported by Juan Pablo Lopez Yacubian. VideoInsight has produced a new version to mitigate the vulnerability. ICS-CERT reports that Yacubian has verified the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to execute arbitrary commands on the target system.

Advantech Advisory

This advisory describes two vulnerabilities in the Advantech WebAccess application. The vulnerabilities were reported by Tenable Network Security via the Zero Day Initiative. Advantech has produced a new version to mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Authentication bypass - CVE-2017-5152; and

• SQL injection - CVE-2017-5154

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerabilities to access pages unrestricted; the SQL injection condition may allow remote code execution.

New Advisory Format

ICS-CERT has started 2017 with a new format for their advisories. Any change is going to have plusses and minuses and it is easy to pick out the problems with the new format. Fortunately, there are more good things in this change, so I would like to highlight those.

First, ICS-CERT has obviously taken a hard look at what they think is the important information in the advisory and has moved that information to the top of the advisory. The first five items on the advisory are short listings of:

• CVSS v3 Score;

• Exploitability;

• Vendor;

• Affected equipment; and

• Vulnerability listing

These are certainly very important pieces of information. Their placement at the top of the format makes it easier to do a quick review of the advisory.

This is followed by essentially the same affected versions, impact, and mitigation measures. There are no significant changes to these sections. At the end of the advisory we now some major revisions to the vulnerability overview. Those changes include actual links to the CVE instead of a footnote to the URL; and more detailed background information on the types of vulnerabilities. That takes the form of links to the Common Weakness Enumeration (CWE) dictionary documenting the vulnerability.

The last section before the contact information of the advisory is the researcher section; listing the researcher's name and affiliation. It will be interesting to see how ICS-CERT handles self-identified vulnerabilities in this section.

The major downside of the new format is that the title of the advisory is taken from the first item on the advisory, the CVSS score. This will provide all sorts of misunderstandings and difficulties in finding specific advisories as the year goes on. This could be easily remedied by changing the order of the initial listing to show the vendor name first.

The second problem that I see is that ICS-CERT has taken out any information about what industries are affected by the advisory or the regions of the world in which the affected equipment is deployed. With the major players like Siemens and even mid-level players like Advantech this is not a real problem, but two of today’s advisories are for vulnerabilities in equipment from less well known vendors.

The last problem is more a matter of appearances than an actual problem; the moving of the researcher’s name to the end of the advisory. This certainly does nothing to tell the public (or the researcher) of the importance on the security researcher in the vulnerability reporting process. In my opinion the researchers name and affiliation should be included in the summary information at the top of the advisory.