ICS-CERT Publishes 3 Advisories and 2 Updates

Yesterday the DHS ICS-CERT published 3 control system security advisories for products from PDQ Manufacturing, Mirion Technologies and Continental AG. They also updated two previously issued advisories for products from Schneider Electric and Siemens.

PDQ Advisory

This advisory describes two vulnerabilities for the PDQ LaserWash, Laser Jet and ProTouch carwash control systems. The vulnerabilities were reported by Billy Rios and Jonathan Butts of WhiteScope and independent security researcher Terry McCorkle. PDQ is developing mitigation measures and has provided interim mitigating controls. This was publicly disclosed at Black Hat.

The two reported vulnerabilities are:

• Improper authentication - CVE-2017-9630; and

• Missing encryption of sensitive data - CVE-2017-9632

ICS-CERT reports that a relatively low skilled attacker could use publicly available exploits to remote exploit the vulnerabilities to gain unauthorized access to the affected system and to issue unexpected commands to impact the intended operation of the system.

Mirion Advisory

This advisory describes two vulnerabilities in Mirion Telemetry Enabled Devices (radiation sensors). These vulnerabilities were reported by Ruben Santamarta of IOActive and were reported at Black Hat. ICS-CERT reports that: “Mirion Technologies is continuing their investigation of this matter and expects to provide users with additional news and solutions in the next three months.” Interim mitigation measures are described.

The two vulnerabilities are:

• Use of a hard-coded cryptographic key - CVE-2017-9649; and

• Inadequate encryption strength - CVE-2017-9645

ICS-CERT reports that an uncharacterized attacker with uncharacterized access could use a publicly available exploit to transmit fraudulent data or perform a denial of service.

NOTE: The Santamarta paper also reports vulnerabilities in radiation detection products from Ludlum.

Continental Advisory

This advisory describes two vulnerabilities in the Continental Infineon S-Gold 2 (PMB 8876) chipset used in a variety of automotive telematics devices. The vulnerabilities were reported by Mickey Shkatov, Jesse Michael, and Oleksandr Bazhaniuk of the Advanced Threat Research Team at McAfee. ICS-CERT reports that: “Continental has validated the reported vulnerabilities but has not yet identified a mitigation plan.”

The reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2017-9647; and

• Improper restriction of operations within the bounds of a memory buffer - CVE-2017-9633

ICS-CERT reports that a relatively low skilled attacker using publicly available exploits could remotely exploit these vulnerabilities to disable the infotainment system of the vehicle and affect functional features of the vehicle. According to affected auto manufacturers, these vulnerabilities do not directly affect the critical safety features of the vehicle.

Schneider Update

This update provides new information on an advisory originally published on November 3^rd, 2016 and updated on November 29^th. The update provides information about the new version that does not include the web server feature.

Siemens Update

This update provides new information on an advisory that was originally published on July 6^th, 2017, and updated on July 18^th. This provides updated affected version and mitigation measures for Firmware variant IEC 104: All versions prior to V1.21.

Missed Siemens Advisory

Early last week Siemens reported two vulnerabilities is some of their XP® based Healthineers products. Siemens reports that they are working on updates for the affected products and provide workarounds that can be used until the updates become available. ICS-CERT has not reported on these vulnerabilities.

ICS-CERT Monthly Monitor

Friday the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) published the latest edition of their ICS security newsletter, the ICS-CERT Monthly Monitor; which this issue covers two months. A number of interesting topics are covered in this issue, including Spear Phishing, Black Hat 2011, the Siemens fiasco and preserving cyber forensics data.

Spear Phishing

A nice article on Spear Phishing notes that ICS-CERT has been responding to an “increasing number of spear phishing attacks”. One would assume that when ICS-CERT got involved it was a successful spear phishing attack where something ‘malicious’ was noted on the attacked network. It is interesting to note in the article (mentioned in passing as it were) that the apparent response to a successful spear phishing attack involves shutting down the corporate email system “until the extent of the problem [is] known and mitigation steps [are] taken”.

Black Hat Briefings

The brief piece on the Black Hat Briefings conference provides a brief bit of information from the conference that I haven’t seen mentioned elsewhere; the description of an airborne hacker tool. The wireless aerial survey platform (WASP) is apparently a remotely piloted vehicle that would fly over an installation trying to detect and intercept Wi-Fi and cell transmissions. With the increased use of wireless communications between control systems components, this could provide another route of access into the control system network. Of course, high-risk chemical facilities should already be concerned about the use of RPVs for surveillance or even attacks, so this is just one more reason to acquire sophisticated anti-aircraft attack capabilities (just a little sarcasm).

Siemens

The brief piece on the Siemens issues provides essentially a summary of their summarizing advisory that I have previously addressed. I would like to suggest that an alternative analysis of the ICS-CERT approach to the Siemens issues can be found at Ralph Langner’s recent blog posting on the issue. Anyone who has read Ralph’s stuff on Stuxnet will not be surprised that he has been less than enamored with the response of ICS-CERT on much of anything to do with Siemens.

Cyber Forensics

There is a relatively lengthy piece on cyber forensics and the importance of planning for how to respond to a cyber incident. Most facilities will be focusing on getting their systems back into the normal functional mode when something goes wrong with their system (either from an attack, human error, or just a glitch piece of equipment/software). Cyber forensics is used to determine why and how a problem occurred and is important in figuring out how to limit the current problem and prevent it from happening again. This piece is well worth the read and further exploration. Some of the techniques suggested for preserving forensics data would normally fly in the face of standard procedures for quickly restoring functionality, but with more cyber-attacks occurring, facilities really need to consider these techniques as a method of discovering the true extent of what happened.

Other Information

There is also a nice text box describing the wonders and benefits of ‘coordinated vulnerability disclosure’. ICS-CERT has a vested interest in the CVD process, so they can be expected to support it. It seems to me that when the process works (ie: the vendor responds promptly and puts forth a reasonable effort to fix the problem) this system provides the most effective method for identifying and responding to vulnerabilities. When there is no response, or an inadequate response, then alternate methods of communication need to be used.

Finally, the Monitor closes with two pages of ‘Open Source Situational Awareness Highlights’; a listing or articles and blog posts of significance to the control system security community. While certainly not an exhaustive bibliography, it certainly provides a pretty good reading list. I was impressed that there are a couple of blog posts included in their list (none of mine, alas). I would have been more impressed if they had included a listing of some posts by people like Ralph Langner or Dale Peterson that questioned the various responses of ICS-CERT to cyber security issues, but that would be expecting a bit more objectivity than is probably reasonable.

In short, this is a fairly impressive newsletter by a government agency that is small but important cornerstone of the Federal response to cyber security issues in industrial control systems. Everyone in the ICS security community should read it.