ICS-CERT Publishes 2 Advisories

Today the DHS ICS-CERT published two control system security advisories for products from General Motors and Rockwell Automation. The GM advisory was originally issued on the National Cybersecurity and Communications Integration Center (NCCIC) secure portal on August 22^nd, 2017.

GM Advisory

This advisory describes multiple vulnerabilities in the General Motors Shanghai OnStar (SOS) iOS Client. The vulnerability was reported by Charles Gans. GM has produced a new version of the SOS iOS Client and is scheduled to release a new version of the North American OnStar iOS Client. There is no indication that Gans has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Clear-text storage of sensitive information - CVE-2017-9663;

• Channel accessible by non-endpoint - CVE-2017-12697; and

• Improper authentication - CVE-2017-12695

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to remotely gain full access to the Shanghai OnStar iOS client, allowing for the control of remote vehicle commands and the ability to view and edit account data.

NOTE: There is nothing on the Automotive ISAC web site about this set of vulnerabilities (or any other public vulnerability reports for that matter) even though one of the mitigation measures suggested by GM directly applies to the using public. Nor have I seen any news reports of GM sharing this information directly with the public.

Rockwell Advisory

This advisory describes a buffer overflow vulnerability in the Rockwell Allen-Bradley MicroLogix 1400 Controllers. The vulnerability was reported by Thiago Alves of the University of Alabama. The latest firmware version mitigates the vulnerability. There is no indication that Alves was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to cause the device that the attacker is accessing to become unresponsive to Modbus TCP communications and affect the availability of the device.