Saturday, May 5, 2018

Public ICS Disclosure – Week of 04-28-18

We have one public disclosure of exploit code this week for a previously disclosed Schneider vulnerability. I have also seen some interesting discussions (without any details as they have not yet been disclosed) on the next generation of Spectre vulnerabilities (ingeniously called Spectre NG).

Schneider Exploit

Tenable posted a very short proof of concept exploit to for the Schneider InduSoft Web Studio and InTouch Machine Edition. This stack-based buffer overflow vulnerability was reported last month.

Tenable initially reported the vulnerability to Schneider and received credit for that coordinated disclosure in both the ICS-CERT and Schneider advisories. They received a lot more press (see here for example), however, this week when they released the exploit code for a vulnerability that both ICS-CERT and Schneider noted was exploitable by a relatively low-skilled attacker without the aid of a publicly disclosed exploit.

Spectre NG

There has been a number of press reports (see here, here and here for example) about the Spectre NG vulnerabilities in the Intel chips. In what appears to be the initial public reporting of these new chip vulnerabilities, Jürgen Schmidt reported that “eight new security flaws in Intel CPUs have already been reported to the manufacturer by several teams of researchers”.

Jurgen also notes:

“An end to patches for hardware problems of the Spectre category is not in sight. But a never-ending flood of patches is not an acceptable solution. You can't shrug off the fact that the core component of our entire IT infrastructure has a fundamental security problem that will keep leading to more problems.”

This is a legacy issue that will be around for a long time.

No comments:

/* Use this with templates/template-twocol.html */