1 Update Published – 9-24-20

 Today the CISA NCCIC-ICS published an update for a control system security advisory for products from 3S.

CODESYS Update

This update provides additional information on an advisory that was originally published on January 11^th, 2013. The new information includes:

• Adding CODESYS Control RTE to list of affected products,

• For CVE-2012-6068, replaced the ‘CVSS v2 base score of 10.0’ with the ‘CVSS v3 base score of 9.8’ along with the associated changes in CVSS vector string, and

• For CVE-2012-6069, replaced the ‘CVSS v2 base score of 10.0’ with the ‘CVSS v3 base score of 10.0’ along with the associated changes in CVSS vector string.

The update is a bit more complicated than that as NCCIC-ICS partially updated the format of the advisory to reflect a number of editorial changes made in the last seven years.

Commentary

Okay, a little background is in order on this ancient (in cyber years, but not as ancient in control system years) advisory. The CVE-2012-6068 vulnerability was initially reported by Reid Wightman at AppSec DC in April 2012. Dale Peterson has an excellent write up of the importance of this vulnerability over on DigitalBond. ICS-CERT published an Alert about the vulnerability on April 6^th, 2012 and then updated that Alert on October 26^th, 2012 to reflect the publication of two exploit tools by Reid. Eventually (January 11^th, 2013) ICS-CERT upgraded the Alert to the Advisory that was updated today. Oh, BTW, the 3S advisory for these vulnerabilities is no longer on their Security Reports web page; they only go back to February 14^th, 2017.

It seems a little more than odd that 3S would add a product to the affected product list seven+ years later. They either just now realized that the product was affected even though it was apparently ‘fixed’ at the same time as the other two affected products were, or they knew all along and just did not want to tell anyone about the problem in that product since it had not been identified by Reid. In either case it just emphasizes the apparent lack of concern at 3S about device security. And that is very disconcerting given the number of other vendors that use these affected products.

More on Yokogawa Advisory

There was an interesting Twitversation yesterday about the Yokogawa advisory that ICS-CERT published Thursday. I noted that Yokogawa was to be commended for self-reporting the vulnerabilities. Dale Peterson from DigitalBond noted that the security note published by Yokogawa credited Rapid7 and another researcher with reporting the vulnerability.

Readers of my blog post will recall that I quoted from the Yokogawa report, so I was surprised that I missed their researcher acknowledgement. I opened up the document referenced in Dale’s Tweet® and it surely does credit Juan Vazquez of Rapid 7 and Julian Vilas Diaz with reporting the vulnerability. The only problem is that that report is from March of 2014 and is not the document referenced in the latest ICS-CERT advisory. The report that Dale referenced is related to an ICS-CERT advisory from May of last year.

The new advisory (from either ICS-CERT or Yokogawa) does not provide enough details about the individual vulnerabilities to determine if they are the same vulnerabilities reported last year. A closer look at the two lists of covered products, however, does show that, for some of the listed products at least, newer versions of the products are affected by the newer advisory.

In any case, it is clear that Yokogawa has done a great deal of work internally to identify the wide variety of products affected by these three buffer overflows. That kind of product line investigation takes time and resources and Yokogawa is to be commended for investing that kind of effort in the internal security research effort.