Multiple ICS-CERT Advisories on Secure Portal

I have heard rumors that there are two or three ICS-CERT advisories currently on the US-CERT Secure Portal. ICS-CERT typically releases advisories for high impact vulnerabilities on the Secure Portal first to allow critical infrastructure owners a chance to implement appropriate mitigation measures before those vulnerabilities are released to the public.

Readers of this blog will probably be aware that I do not have access to the Secure Portal. It was graciously offered but I turned it down because I did not want to be put in the position of knowing about advisories like this without being able to write about them.

I would encourage all critical infrastructure facilities with control systems to request access to the US-CERT Secure Portal so that they would have access to advisories like this before they are made public. Instructions on how to apply for access can be found on the bottom of the ICS-CERT main website. 

ICS-CERT Publishes Four DefCon 2015 Related Alerts

This afternoon the DHS ICS-CERT published alerts for four control system product vulnerabilities that were publicly disclosed during DefCon 2015 by Aditya K. Sood on August 8^th. Proof-of-concept exploit code was presented at the conference.

Three of the four vulnerabilities were disclosed to ICS-CERT shortly before their release in Las Vegas, but they have not yet been able to complete the coordination/verification process with the vendors.

Moxa Alert

This alert describes three password related vulnerabilities in the Moxa ioLogik E2210 Ethernet Micro RTU controller. Two of these vulnerabilities are reportedly remotely exploitable.

Prisma Alert

This alert describes a cross-site request forgery vulnerability and an insufficiently protected password vulnerability in Prisma web products. Both of these vulnerabilities are reportedly remotely exploitable.

Schneider Alert

This alert describes three types of vulnerabilities in Schneider Electric’s Modicon M340 PLC Station P34 CPU modules. Those vulnerabilities include:

∙ Hard-coded credentials (remotely exploitable);

∙ Local file inclusion; and

∙ Remote file inclusion (remotely exploitable).

Some of these vulnerabilities were already in the coordination/mitigation process while others had not been disclosed to either ICS-CERT or Schneider.

Kako Alert

This alert describes a hard-coded password vulnerability in KAKO HMI products. This vulnerability is remotely exploitable.

My Mistake – ICS-CERT Alerts

I received three anonymous comments today about last night’s post about ICS-CERT alerts. Well, they were probably the same comments three times trying to ensure that I got the information. The comments were a list of ICS-CERT alerts for the Luigi vulnerability disclosures that I mentioned in that blog post. I have gone back and confirmed that not only were the alerts posted, but I commented on them in my blog.

Oh, well, I get stupid every once in a while. Somehow I missed them in my file search yesterday. My apologies to ICS-CERT and my readers. And thanks to my readers for pointing out the error.

There was one Luigi disclosure that wasn’t given an alert, but even Luigi noted on his web site that the system was only marginally related to control systems so ICS-CERT apparently decided that it did not fall within their purview.

Okay, so my Luigi examples are full of c**p. That makes the Reid Wightman disclosures even more of an anomaly. Why was there the almost three month delay between Wightman’s disclosure of the ORing vulnerability and the ICS-CERT Advisory? And why did ICS-CERT ignore the second disclosure in the same blog posting?

There is a fourth comment on the same blog post by another Anonymous reader that kind of obliquely mentions the US-CERT secure portal where properly vetted owners can sometimes access advisories when the vendor publishes the mitigation or patch before the vulnerability is made public. But that is a separate matter as it appropriately give system owners the ability to patch their systems before the 0-day is disclosed to the public.

 

DHS ICS-CERT Issues Multiple Alerts

Yesterday evening the folks at the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) took the unusual move of publishing four separate control system vulnerability alerts. Of potentially more interest, they took this action because a single security researcher, Luigi Auriemma, published 34-separate exploits for 0-day vulnerabilities in those four systems. Oh, yes, the other important piece of information, Luigi is not a SCADA expert, ‘just’ a prolific writer of 0-day exploits.

The four covered systems are:

Siemens Tecnomatix FactoryLink – 6 exploits
Iconics GENESIS32 and GENESIS64 – 13 exploits
7-Technologies IGSS – 8 exploits
DATAC RealWin – 7 exploits

ICS-CERT was very prompt in issuing these four alerts. The exploits were published yesterday and less than 12 hours later the alerts were posted on their web site. Of course the fact that the cyber security community was actively discussing Luigi’s feat on-line probably made it easier to get the bureaucratic approval necessary to publish the alerts in a timely manner.

Underlying Issue

Luigi described the vulnerabilities this way:

“In technical terms the SCADA software is just the same as any other software used everyday, so with inputs (in this case they are servers so the input is the TCP/IP network) and vulnerabilities: stack and heap overflows, integer overflows, arbitrary commands execution, format strings, double and arbitrary memory frees, memory corruptions, directory traversals, design problems and various other bugs.”

This just goes to show that the same problems that the general software development community has been dealing with for years probably exist in the ICS software. As more security researchers (both ‘good’ and ‘bad’) turn their attention to control systems, it seems inevitable that more 0-day vulnerabilities, probably many more, are going to be found.

That this problem exists is not a new idea. Dale Peterson over at DigitalBond.com put it this way yesterday:

“Realistically though, there is a huge amount of legacy code out there with latent vulnerabilities waiting for smart guys like Luigi to find. Vendors that are making their software available for download have to expect that someone in the security research community, and probably some bad guys, will download the product just to find vulnerabilties and build exploits. We mentioned this in previous blog entries, but hopefully 34 vulnerabilities will prove the point.”

For the user community this means that, if Stuxnet was not enough of a warning, Luigi pointed out yesterday how easy it would be for even a moderately talented hacker (Please, I am not saying Luigi is just ‘moderately talented’, that is obviously not true) to attack a system. With the exploits published yesterday, owners of systems that contain these programs don’t even have the minimal comfort level that their systems would require a moderate skill level to attack. The basic hacker now has tools available to be able to access those systems.

Mitigation

How long will it take to get patches for these vulnerabilities? We’ll have to wait and see. Remember, though, the software development cycle started yesterday. Don’t hold your breath; it takes time to fix these things.

In the meantime ICS-CERT provides this generic guidance in their alerts:

“Control system devices should not directly face the Internet.1Locate control system networks and devices behind firewalls, and isolate them from the business network. If remote access is required, employ secure methods such as Virtual Private Networks (VPNs).”