ICS-CERT Publishes Emerson RTU Advisory

Today the DHS ICS-CERT published a control system advisory for Emerson Process Management RTUs for multiple vulnerabilities. The vulnerabilities were reported by Dillon Beresford, Brian Meixell, Marc Ayala, and Eric Forner of Cimation in a coordinated disclosure. ICS-CERT reports that Emerson has developed a patch that has been validated by the Cimation researchers.

ICS-CERT reports that there are three separate hidden functionality vulnerabilities and a hard-coded credential vulnerability. The four vulnerabilities are:

• OSE debug broadcast, CVE-2013-0693;

• OSE debug service, CVE-2013-0692;

• TFTP server, CVE-2013-0689; and

• Use of hardcoded credentials, CVE-2013-0694.

NOTE: The CVE links will be functional in the near future.

The advisory notes that each of these vulnerabilities are remotely exploitable and would allow a relatively low skilled attacker to execute arbitrary code and gain full control of the device. These are all serious vulnerabilities; the lowest CVSS v2 base score is 9.0.

Organizations with a large number of these RTUs, particularly those in distribution systems, will have a large degree of difficulty in patching all of the affected devices in a timely manner and their systems will remain vulnerable until all RTUs are patched.

ICS-CERT Publishes Two Friday Advisories

On Friday afternoon the DHS ICS-CERT published two advisories for multiple vulnerabilities on MatrikonOPC and a single vulnerability on Galil RIO-47100. Both advisories were based upon coordinated disclosures.

NOTE: Along with a recent change in the ICS-CERT web site format, ICS-CERT has changed their Advisories (and presumably Alerts) from .PDF pages to .HTML pages. They may still be saved as .PDF files, but this should remove some of the complaints heard about ICS-CERT using an ‘inherently vulnerable’ .PDF format for their reports. I’ve even heard some really paranoid individuals complain that ICS-CERT was using the .PDF reports to spread spyware.

MatrikonOPC Advisory

ICS-CERT reports that two vulnerabilities [Link added 4-28-13 07:05 CDT] were reported by Dillon Beresford of Cimation. The vulnerabilities are:

• Path traversal, CVE-2013-0673; and

• Error handling, CVE-2013-0666

(NOTE: CVE links will not be active for a couple of days) [4-28-13 07:05 CDT]

ICS-CERT notes that a relatively low skilled attacker could remotely exploit these vulnerabilities to gain access to system files or crash the configuration utility. They also note that the system must be accessible via the internet for the remote exploitation to be possible.

MatrikonOPC has produced patches that have been verified by Dillon to mitigate the vulnerabilities. The link to the patch page in the advisory does not work [NOTE: As of 04:00 CDT 4-29-13, this has been corrected]. Use this link (http://www.opcsupport.com/ics/support/default.asp?deptID=4590) to the product advisory page instead. Click on the appropriate product and use the instructions on the product page to download the patch.

Galil Advisory

ICS-CERT reports an input validation vulnerability [link added 4-28-13 07:05 CDT] in the Galil RIO-47100 PLC that was reported by Jon Christmas of Solera Networks.

ICS-CERT notes that a moderately skilled attacker could remotely exploit this vulnerability to execute a DoS attack.

A firmware update is available at http://www.galilmc.com/support/firmware-downloads.php and Christmas confirms that it resolves the identified vulnerability. The link in the advisory is good, but it takes you through a ‘You are leaving ICS-CERT’ page which I have always found to be annoying and more than a little mindless. Interestingly the Firmware Release Notes page also explains that the latest release fixes a buffer overflow issue not mentioned in the ICS-CERT advisory.

New Format

As I mentioned earlier, ICS-CERT has changed the format for their Advisories and Alerts. They have gone back and updated earlier alerts (at least through the Clorius Controls Alert from April 1^st. Along with changing from a .PDF to .HTML file format, they have significantly modified the typography and slightly modified the lay out. In my opinion (FWIW) the changes have detracted from the readability of the documents. This is especially true when the document is saved in a .PDF format.

The change in format also removes two fixtures of the reports. The recently added ‘Traffic Light Protocol’ (TLP) markings have been removed from the documents; a good move in my opinion. The product warranty box at the bottom of the first page of the old format has also been removed. This was one of those legal disclaimer things that we are seeing in too many areas of our public lives and the world would be a better place without them.

InfraGard SCADA Briefing

Today I had the pleasure to attend an SCADA Security Briefing sponsored by InfraGard, the Louisiana Governor’s Office of Homeland Security and Emergency Preparedness (GOHSEP) and Cimation. The presenters were Special Agent Will Hatcher (FBI), Devin King (GOHSEP) and Marc Ayala (Cimation). There were about 20 attendees from Louisiana chemical companies, and ICS vendor, and the US Coast Guard.

Presentations

The presentation by SA Hatcher was a good review of the change in the cybersecurity threat over the last 20 years or so (it was nice to hear someone talk about cybersecurity that remembers that hackers started out as phone phreakers, stealing service from Ma Bell). It was a fairly comprehensive review of changes in IT and ICS security issues over time. As one would suspect, SA Hatcher has had more experience with IT security issues, but he had a good understanding of recent ICS issues and looked at the DUQU-Flame-Shamoon as potential reconnaissance tools for future ICS attacks.

Devin gave an interesting presentation on the cybersecurity programs that he has helped develop for the Louisiana Fusion Center, one of the first cyber-fusion units in the country. Once again his main background is IT security, but, because of the large petrochemical industry in the State, there is a significant interest in developing ICS related cyber-security information sharing in the State Fusion Center. He noted in the presentation that he is getting significant information about cybersecurity incidents from State and local government agencies (about 50,000 reported cyber-attacks of all sorts per week), but nothing from the private sector. He solicited input from the audience noting that the unit was able to providing a variety of situational advisories and an extensive IP Blocking list.

Marc gave an interesting presentation on ICS security, having worked with ICS systems for a number of years. He included an interesting story about an ‘air-gapped’ control system that he had looked at that was based on an old-style pneumatic control system; the only problem was that the compressor supplying the control system air was a new-fangled, electronically controlled system complete with an internal web server.

Marc provided an interesting bit of information about the recent attacks on pipeline control systems. It seems that ICS-CERT updated their advisory (ISCA-12-136-01D) on their restricted server last week. The new version provides lists of files, versions and dates that have been found on affected systems; data that can be used to check computers for symptoms of attack. Marc pointed out that one of the files would look like it was a file for an Adobe file reader. This is a good reason for control system owners to have someone signup for HSIN access to that controlled server. (NOTE: I'm not signed up for this because of information sharing restrictions on their restricted information; not a good thing for a blogger.)

Demonstration

Marc also provided a demonstration of the results of a denial of service attack on an AB PLC. He had a nice HMI-PLC system setup that controlled a pump motor on the other side of the room. First he showed how he controlled the pump motor from the HMI via the PLC. Then he sent some random signals to an open port on the PLC simulating a DOS attack; it took just a couple of seconds for the pump to shut down. Even worse he showed that the DOS attack also resulted in the instruction set on the pump controller being erased so that it had to be reprogramed before the system would work again. Then he demonstrated how a firewall device protected the open port.

Future Briefings

This was one of a series of these briefings being conducted around the State. There is another one next month in Lafayette, LA  (watch Marc’s blog at Cimation for registration information). I would certainly recommend that facility owners and security officers consider attending. I would also recommend that other state organizations consider contacting Cimation or InfraGard to set up similar briefings.