Public ICS Disclosure – Week of 11-12-17

Today this is not about a new disclosure but about some new information on an ICS-CERT advisory that was published this week. SEC Consult published additional information on the Siemens SICAM vulnerabilities on the FullDisclosure web site.

The ICS-CERT advisory reported that publicly available exploits were available, but did not provide a link. This report from SEC Consult provides proof of concept code for exploiting the first two vulnerabilities and a link to a very old (2003) link to an earlier report on the code injection vulnerability. That link leads to a report by Luigi Auriemma, a name that hasn’t been seen on this blog in quite some time.

The Luigi report is about the GoAhead web server that was apparently used by Siemens in the affected versions of the SICAM devices. This is not noted in either the ICS-CERT advisory or the Siemens security advisory. Luigi describes GoAhead this way:

“Goahead (sic) webserver is an embedded OpenSource server that can be build (sic) on a lot of systems (CE, Ecos, GNU/Linux, Lynx, MacOS, NW, QNX4, VXWORKS, Win32 and others).

“It is supported by a lot of companies that use it for their projects and it is also used like ‘base’ for other webservers, furthermore it has been developed for be very tiny and to run on embedded systems.”

Apparently, Siemens used an unpatched version of the webserver (Luigi reported that the vulnerability he reported was fixed in December 2003) in the affected versions of the SICAM devices. Since Siemens (and almost all other ICS vendors) did not start to take control system security seriously until after 2010 (STUXNET), it is not surprising that a newer version of the webserver was not incorporated in these devices; in fact, it is quite possible that they were not informed of the vulnerability.

This is an old, but continuing problem, with third party software used in many of the control system devices used still today. If the original vendor does not have an active method for sharing vulnerability information with all of its customers, the using vendor may not become aware of the vulnerability until some third-party researcher discovers the problem.

More disturbing in this case is the fact that neither ICS-CERT nor Siemens mentioned that the vulnerabilities (apparently all three) in the SICAM devices were based upon vulnerabilities in a GoAhead web server. If it were not for this separate SEC Consult disclosure, the community would not realize that that there was a third-party vulnerability involved that may still exist in other non-Siemens devices.