Public ICS Disclosures – Week of 2-17-18

This week we have three vendor notifications of control system vulnerabilities from ABB and Schneider (2).

ABB Advisory

This advisory describes three vulnerabilities in the ABB CCLAS laboratory information management system. The vulnerabilities are self-reported. A new version is available that mitigates the vulnerabilities.

The reported vulnerabilities are:

• Path traversal (2); and

• Cross-site scripting

Flexera FlexNet Publisher Advisory

This advisory describes a buffer error vulnerability in a number of the Schneider products that use their Floating License Manager. The vulnerability was reported last summer by Flexera Software, the third-party vendor supporting this Schneider product. Schneider has new product versions that mitigates the vulnerability.

NOTE: As always with 3^rd party vulnerabilities, the open question is which other vendors have used the same vulnerable code in their products?

Saitel DP Advisory

This advisory describes a privilege escalation vulnerability in the Schneider Saitel DP substation controller. This 3^rd party vulnerability (Linux kernel) was reported in 2016 and there are multiple publicly available exploits for the underlying vulnerability. Schneider has a patch available to mitigate this vulnerability.

Commentary

Two 3^rd party vulnerabilities this week re-raise the question about what responsibility vendors have for both vetting 3^rd party code and monitoring for reports of vulnerability in that code. The license manager problem above easily be a positive example of responding to a reported vulnerability and the time lag between the initial vulnerability report and this weeks notification could be a reflection of how long it took to fix the problem.

The much longer delay in fixing the Linux kernel issue, however, argues that there was a significant delay between the original vulnerability discovery and the start of the Schneider response. While open source products like Linux do not have the same ability to push fixes to the field as large corporations like Microsoft, there is no doubt that the vibrant community does very openly discuss their vulnerabilities and fixes.

Vendors that are going to use 3^rd party code (and it looks like every vendor does) and are concerned about their customers’ secure use of their products (and that is obviously not every ICS vendor) are going to have to maintain an active monitoring of their code suppliers to ensure that the vendor becomes aware of reported vulnerabilities as soon as possible. Vendors then have a responsibility to check for those 3^rd party vulnerabilities in their own products as soon as possible.

Large ICS vendors should be able to use their size as leverage with their 3^rd party suppliers to require advance notification of vulnerabilities before they are publicly announced. This would allow them at least some time to begin working on analysis and fixing problems before the vulnerability is publicized.