ICS-CERT Publishes Two Advisories

Today the DHS ICS-CERT published two control system security advisories for products from Trihedral Engineering and ABB. The ABB advisory addresses a vulnerability that I addressed ten days ago.

Trihedral Advisory

This advisory describes two vulnerabilities in the Trihedral VTScada. The vulnerabilities were independently reported by Karn Ganeshen and Mark Cross. Trihedral has a new version that mitigates the vulnerabilities. There is no indication that either researcher has been provided the opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper access control - CVE-2017-14031;

• Uncontrolled search path element - CVE-2017-14029

ICS-CERT reports that a relatively low skilled attacker with uncharacterized access could exploit the vulnerability to allow execution of arbitrary code.

NOTE: If one were to look for one possible explanation about why owner/operators are slow to update their ICS software, one would need to look no further than the Trihedral upgrade notes for moving from v11.2 to the current version. Lots of work and lots of tools do not carry over to the newest version.

ABB Advisory

This advisory describes an improper input validation vulnerability in the ABB FOX515T. The vulnerability was reported by Ketan Bali. ABB reports that the device has been phased out and is no longer being supported. The ABB cybersecurity advisory reports that there are no work around available for this vulnerability.

ICS-CERT reports that a relatively low skilled attacker with uncharacterized access could exploit this vulnerability to craft a malicious script that would enable retrieval of any file on the server.

Commentary

Two security researchers independently detecting and reporting the same vulnerabilities is not real common, but I suspect that is more due to the reporting component of that statement rather than the detection component. This is an important concept for security researchers and vendors to remember when they decide whether or not to communicate vulnerabilities.

For vendors trying to determine whether or not to report an in-house detected vulnerability they first have to determine if they are going to (or can) patch/upgrade to mitigate the vulnerability. If they do not patch, they are risking having an independent researcher/team discover the vulnerability and either misuse it or selling it to somewhere.

If the vendor fixes the vulnerability the question arises of whether or not to report the underlying vulnerability or letting the update stand on routine improvements to the device/system. As I have mentioned before, ICS owners are slow to update for any number of reasons; the risk of a security vulnerability un-fixed may be the incentive needed to upgrade to a newer version.