Saturday, February 3, 2018

Public ICS Disclosures – Week of 1-25-18

This week we have a new coordinated disclosure for a Sprecher Automation remote terminal unit (RTU), exploit code for an Advantech WebAccess vulnerability and a late discussion of new information on the TRISIS attack.


SEC Consult Vulnerability Lab published a vulnerability report on the web site this week for multiple vulnerabilities in the Sprecher SPRECON-E-C RTU. It reports five vulnerabilities (with proof of concept code), including:

• Authenticated path traversal;
• Client-side password hashing;
• Missing authentication;
• Permanent denial of service via port scan; and
Outdated Linux kernel.

Three of the five vulnerabilities have reportedly been fixed and work arounds have been provided for the other two.

Advantech Exploit

Chris Lyne published exploit code on the web site this week for an SQL injection vulnerability in the Advantech WebAccess application. The vulnerability was included in a recent ICS-CERT Advisory that was most recently updated on January 11th. For obvious reasons, ICS-CERT did not mention the publicly available exploit code and they have not made it a practice to further update their advisories to report the presence of exploits.


Most readers will probably be familiar with the Schneider presentation at S4X18 about new information on the recent attack on a Triconex safety system. The Schneider reported that they discovered a zero-day vulnerability used by the attacker and have provided a firmware update that mitigates the vulnerability. Schneider updated their security notification to reflect the new information.

ICS-CERT published a malware report not a control system advisory for the situation. It did provide a link to the original Schneider notification. I do not expect ICS-CERT to update their malware report, but I have been hoping to see an advisory for the newly reported vulnerability.

I cannot wait for DigitalBond to make the Schneider presentation available on their site.

1 comment:

Toshio Miyachi said...

Schneider presentation at S4x18 is here:

/* Use this with templates/template-twocol.html */