Today the DHS NCCIC-ICS published a control system security
alert for CAN bus network implementation in avionics and two control system
security advisories for products from Prima Systems ad Wind River.
CAN Bus Alert
This alert briefly
describes a public report about insecure implementation of CAN bus networks
affecting aircraft. The report was
published by Patrick Kiley of Rapid7.
Prima Systems Advisory
This advisory
describes nine vulnerabilities in the Prima Systems FlexAir access control
platform. The vulnerabilities were reported by Gjoko
Krstic of Applied Risk. Prima Systems has a new version that mitigates the
vulnerabilities. There is no indication that Krstic has been provided an
opportunity to verify the efficacy of the fix.
The nine reported vulnerabilities are:
• OS command injection - CVE-2019-7670;
• Unrestricted upload of file with dangerous type (2)
- CVE-2019-7669 and CVE-2019-9189;
• Cross-site request forgery - CVE-2019-7281;
• Small space of random values - CVE-2019-7280;
• Cross-site scripting - CVE-2019-7671;
• Exposure of a backup file to an unauthorized
control sphere - CVE-2019-7667;
• Improper authentication - CVE-2019-7666; and
• Use of hard-coded credentials - CVE-2019-7672
NOTE 1: NCCIC-ICS does not include a default credentials
vulnerability, CVE-2019-7668, reported by Krstic.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to allow an attacker to execute
commands directly on the operating system, upload malicious files, perform
actions with administrative privileges, execute arbitrary code in a user’s
browser, discover login credentials, bypass normal authentication, and have
full system access.
NOTE 2: I briefly
described the Rapid7 report back in May.
Wind River Advisory
This advisory
describes eleven vulnerabilities in the Wind River VxWorks operating system.
The vulnerabilities were reported by Armis
researchers Gregory Vishnepolsky, Dor Zusman, and Ben Seri. Wind River has
patches to mitigate the vulnerabilities. There is no indication that the
researchers have been provided an opportunity to verify the efficacy of the
fix.
The eleven reported vulnerabilities are:
• Stack-based buffer overflow - CVE-2019-12256;
• Heap-based buffer overflow - CVE-2019-12257;
• Integer underflow - CVE-2019-12255;
• Improper restrictions of operations within the
bounds of a memory buffer (2) - CVE-2019-12260 and CVE-2019-12261;
• Race condition - CVE-2019-12263;
• Argument injection or modification (4) - CVE-2019-12258,
CVE-2019-12262, CVE-2019-12264 and CVE-2019-12265; and
• Null pointer dereference - CVE-2019-12259;
Since the affected operating systems are used in a large number
of IoT and ICS systems we can expect advisories from affected vendors
implementing the Wind River mitigations measures. The NCCIC-ICS advisory
already lists 2 vendor advisories and the Armis report adds a third. The three
vendor advisories available to date include:
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to allow remote code execution.