Tuesday, May 2, 2017

ICS-CERT Publishes 3 Advisories

Today the DHS ICS-CERT published three control system security advisories for products from Advantech, CyberVision and Schneider.

Advantech Advisory

This advisory describes a client-side authentication vulnerability in the Advantech B+B SmartWorx MESR901. The vulnerability was originally reported by Maxim Rupp. ICS-CERT reports that Advantech is unable to provide mitigations for this product and is working to replace the product with a new model.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to bypass authentication and access restricted pages.

CyberVision Advisory

This advisory describes a code injection vulnerability in the CyberVision Kaa IoT Platform. The vulnerability was reported Jacob Baines from Tenable Network Security. ICS-CERT reports that CyberVision has been unresponsive to multiple contact requests and has produced no mitigations for this vulnerability.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to allow for the creation of files with custom content, movement of files, and execution of arbitrary OS commands.

Schneider Advisory

This advisory describes an Improper XML Parser Configuration in the Schneider Wonderware Historian Client. The vulnerability was reported by Andrey Zhukov from USSC. Schneider has an update that mitigates the vulnerability. ICS-CERT reports that Zhukov has verified the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker (no discussion of access requirements) to cause denial of service of trend display or to disclose arbitrary files from the local file system to a malicious web site. The Wonderware Security Bulletin reports that a social engineering attack would be required to get an authorized user to load a malicious XML settings file.


At this late date it is very disconcerting to see two ICS-CERT advisories reporting that vendors are not fixing reported vulnerabilities. I am disappointed in not seeing ICS-CERT report why Advantech is choosing to not fix their SmartWorx MESR901. I suspect that this is an end-of-life issue, but the product is still being actively advertised on the Advantech web site.

More disturbing is the failure of CyberVision to even respond to ICS-CERT about the reported vulnerability. The Kaa project is advertised as an open-source IOT platform. We have enough problems with IOT security issues without having people acknowledge and try to fix specifically identified security issues with their product.

No comments:

/* Use this with templates/template-twocol.html */