Today the DHS ICS-CERT published three control system
security updates for products from Leão Consultoria e Desenvolvimento de
Sistemas (LCDS), Moxa, and Rockwell. They also updated two previously published
control system security advisories for products from Siemens.
LCDS Advisory
This advisory
describes an improper check of handling of exceptional conditions vulnerability
in the LCDS LAquis SCADA. The vulnerability was reported by Karn Ganeshen. LCDS
has a new version that mitigates the vulnerability. There is no indication that
Ganeshen has been provided an opportunity to verify the efficacy of the fix.
ICS-CERT reports that a highly-skilled attacker with local
access could exploit this vulnerability to cause the device an attacker is
accessing to crash, resulting in a structured exception handler overflow
condition, which may allow code execution.
Moxa Advisory
This advisory
describes an information exposure vulnerability in the Moxa MXview, network
management software. The vulnerability was reported by Michael DePlante of
Leahy Center for Digital Investigation at Champlain College. Moxa developed a
new version to mitigate the vulnerability. There is no indication that DePlante
has been provided an opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively low-skilled attacker
could remotely exploit this vulnerability to read the private key of the web
server, which may allow a remote attacker to decrypt encrypted information.
Rockwell Advisory
This advisory
describes six vulnerabilities in the Rockwell MicroLogix Controller. The vulnerabilities
were reported by Jared Rittle and Patrick DeSantis of Cisco. Rockwell has
provided mitigation strategies in their customer
notification (registration required). There is no indication that the
researchers were provided an opportunity to verify the efficacy of the fixes.
The six reported vulnerabilities (according to ICS-CERT) are:
• Improper authentication (6) - CVE-2017-12088, CVE-2017-12089,
CVE-2017-12090, CVE-2017-12092, and CVE-2017-12093
NOTE: Rockwell does not use the ‘improper authentication’
description for any of the six (actually 17) vulnerabilities. Instead they
report (using the same CVE numbers):
• Denial of service via ethernet
functionality - CVE-2017-12088;
• Denial of service via download
functionality - CVE-2017-12089;
• Denial of service – SNMP-set
request - CVE-2017-12090;
• Access control vulnerabilities
(12) - CVE-2017-14462 thru CVE-2017-14473;
• File-write vulnerability in
memory module - CVE-2017-1209; and
• Malicious register session
packets lead to communication loss - CVE-2017-12093
ICS-CERT reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to cause denial of service,
disclosure of sensitive information, communication loss, and modification of
settings or ladder logic.
SCALANCE Update
This update
provides additional details on an advisory that was originally
published on November 28th, 2017. The new version provides
updated mitigation information for the SCALANCE W1750D.
Building Technologies Products Update
This update
provides additional details on an advisory that was originally
published on April 3rd, 2017. The new information provides a
link to the updated LMS. I mentioned this new information in my earlier post.
Posts
1 comment:
Regarding the Rockwell MicroLogix vulnerability: switching the unit from Run, to Remote, or to Program mode is a mult-step menu button process. Most people get annoyed with that and end up leaving the unit in Remote mode.
This leaves the unit wide open to all sorts of abuse, even though Rockwell has addressed the problem as well as they can.
The key switch on all PLCs are a sore subject for a lot of people. From a security perspective, it would be much nicer to not have an online code editing feature. But units like that probably won't sell too well.
The inconvenience is significant.
Post a Comment