ICS-CERT Publishes 3 Advisories and 1 Siemens Update

Today the DHS ICS-CERT published three control system security advisories for products from Rockwell Automation (2) and MatrikonOPC. The also updated a Siemens advisory; this is the update that I mentioned in passing last Thursday [changed link and day; 05-11-18, 0624 EDT]. The Factory Talk advisory was originally released to the HSIN ICS-CERT library on April 12, 2018.

Factory Talk Advisory

This advisory describes two vulnerabilities in the Rockwell Factory Talk Activation Manager. I described these vulnerabilities in a blog post on April 14^th. At that time I was not aware that ICS-CERT had published a restricted release advisory for the publicly available Rockwell notification (registration required). The ICS-CERT advisory does not mention the publicly available exploits for these vulnerabilities.

Arena Advisory

This advisory describes a use after free vulnerability in the Rockwell Arena simulation software for manufacturing. The vulnerability was reported by Ariele Caltabiano via the Zero Day Initiative. Rockwell has a newer version that mitigates the vulnerability. There is no indication that Caltabiano has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that an uncharacterized attacker with uncharacterized access could exploit this vulnerability to cause the software application to crash. The Rockwell notice explains that a social engineering attack would be required to get an authorized user to open a maliciously crafted Arena file to exploit this vulnerability.

MatrikonOPC Advisory

This advisory describes a files or directories accessible to external parties vulnerability in the MatrikonOPC Explorer. The vulnerability was reported by Ilya Kapov of Positive Technologies. MatrikonOPC has a patch available to mitigate the vulnerability. There is no indication that Kapov has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker with local access could exploit this vulnerability to transfer unauthorized files from the host system. The MatrikonOPC security notification reports that the vulnerability exists in the Microsoft MSXML libraries that have ‘known vulnerabilities’ but does not provide the version number being used. This raises the inevitable questions about whether or not all of the appropriate Microsoft patches have been applied. Again, this is an inevitable problem with the use of third party libraries.

Siemens Update

This update provides information on an advisory that was originally published on November 28th, 2017 and updated on April 5^th, 2018. This update provides mitigation measures for  SCALANCE M-800 and S615.

ICS-CERT Publishes Siemens and MatrikonOPC Advisories

Yesterday the DHS ICS-CERT published two new advisories; one for the Siemens WinCC application and another for the MatrikonOPC for DNP application.

Siemens Advisory

This advisory is for two vulnerabilities in SIMATIC WinCC, both as a stand alone application and as implemented in SIMATIC PCS7 and TIA Portal. These are apparently self-identified vulnerabilities for which Siemens has updates for some of the affected products and is working on updates for the others.

ICS-CERT identifies the vulnerabilities as:

• Remote code execution - CVE-2014-8551; and

• Transfer/extract files - CVE-2014-8552.

Interestingly this tells us what the exploit of the vulnerability is not what the vulnerability is. The Siemens ProductCERT advisory is not any more forthcoming on this topic than is the ICS-CERT Advisory. I suspect that any more detailed description of the actual vulnerability would make it easy for the average hacker to figure out how to exploit these vulnerabilities.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities. ICS-CERT reports that a exploits for these vulnerabilities may already be available and these vulnerabilities “may have been exploited during a recent campaign”. Siemens acknowledges assistance from Symantec Deepsight Intelligence which may substantiate that claim.

Siemens published their advisory on Friday. I noted in a TWEET® on Friday morning the unusual lack of description of the type of vulnerability. With the apparent level of risk involved and the wide spread use of these applications I am very surprised (and disconcerted) that ICS-CERT took this long to publish this advisory.

MatrikonOPC Advisory

This advisory reports an unhandled C++ exception vulnerability in the MatrikonOPC DNP3 application. The vulnerability was reported by Crain-Sistrunk and was discovered under their Project Robus using their Aegis Fuzzer (I ought to charge these guys advertising fees, but I like their chutzpah too much). It looks like this is now 26 reported of 31 disclosed for the DNP3 protocol and this is a different vulnerability than most of those previously reported by this team.

ICS-CERT reports that MatrikonOPC has produced a new version that mitigates this vulnerability but does not say that Crain-Sistrunk have verified the efficacy of that mitigation.

ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability to effect a denial of service attack that would require a manual reboot of the system. The MatrikonOPC Security Notification that a successful exploit would “require expert knowledge of both the DNP3 protocol and an in-depth understanding of the vulnerability that exists in the affected versions of the MatrikonOPC Server for DNP3”.

MatrikonOPC published their notice on October 22^nd, over a month ago. There is no indication in the ICS-CERT advisory that this had been released on the US-CERT Secure Portal, so I wonder why it took so long for this advisory to be published? Could they have been trying to convince MatrikonOPC to allow Crain-Sistrunk to verify that their update worked?

ICS-CERT Publishes Another Crain-Sistrunk Advisory

Today ICS-CERT published an advisory for a buffer overflow vulnerability on the MatrikonOPC SCADA DNP3 OPC Server. Actually the document published today is a revised version of an advisory published on the US-CERT secure Portal back on August 2^nd. The vulnerability was reported by Adam Crain and Chris Sistrunk in a coordinated disclosure.

The Advisory

ICS-CERT reported that the vulnerability can be remotely exploited by a moderately skilled attacker to execute a DOS attack. MatrikonOPC insists that an exploit would require “in-depth technical knowledge of the DNP3 protocol and the specific vulnerability in the MatrikonOPC software”. I guess (sarcasm alert) that Adam and Chris were just lucky to be able to find the ‘specific vulnerability’.

MatrikonOPC has developed a new version of the OPC Server for DNP3 that eliminates this vulnerability. ICS-CERT reports that Adam has verified the efficacy of the update.

The Update

As I noted earlier this publicly available version of the advisory is actually an update of the earlier, limited release version. There are two changes listed in the update; a more detailed explanation of the mechanism of the vulnerability and an additional suggested mitigation to prevent the vulnerability from being remotely accessible.

The update notes that the server only stops communication because of this vulnerability after receiving a malformed DNP3 packet from a device. In an unusual move ICS-CERT added additional language indicating that Adam and Chris suggested that an additional mitigation measure would be to block “DNP3 traffic from traversing onto business or corporate networks through the use of an IPS or firewall with DPN3-specific (sic) rule sets”.

This is actually a pretty specific expansion of a standard ICS-CERT recommendation to protect control systems from unauthorized access via the use of a firewall or IPS. It is not surprising that Adam and Chris would focus on DNP3 communications since this is an area that they have been spending a great deal of time investigating here recently. It might be interesting if they were to post on the Automatak blog a more detailed discussion about the types of DNP3 rule sets that would provide additional control system protections for DNP3 servers in general.

ICS-CERT Publishes Two Friday Advisories

On Friday afternoon the DHS ICS-CERT published two advisories for multiple vulnerabilities on MatrikonOPC and a single vulnerability on Galil RIO-47100. Both advisories were based upon coordinated disclosures.

NOTE: Along with a recent change in the ICS-CERT web site format, ICS-CERT has changed their Advisories (and presumably Alerts) from .PDF pages to .HTML pages. They may still be saved as .PDF files, but this should remove some of the complaints heard about ICS-CERT using an ‘inherently vulnerable’ .PDF format for their reports. I’ve even heard some really paranoid individuals complain that ICS-CERT was using the .PDF reports to spread spyware.

MatrikonOPC Advisory

ICS-CERT reports that two vulnerabilities [Link added 4-28-13 07:05 CDT] were reported by Dillon Beresford of Cimation. The vulnerabilities are:

• Path traversal, CVE-2013-0673; and

• Error handling, CVE-2013-0666

(NOTE: CVE links will not be active for a couple of days) [4-28-13 07:05 CDT]

ICS-CERT notes that a relatively low skilled attacker could remotely exploit these vulnerabilities to gain access to system files or crash the configuration utility. They also note that the system must be accessible via the internet for the remote exploitation to be possible.

MatrikonOPC has produced patches that have been verified by Dillon to mitigate the vulnerabilities. The link to the patch page in the advisory does not work [NOTE: As of 04:00 CDT 4-29-13, this has been corrected]. Use this link (http://www.opcsupport.com/ics/support/default.asp?deptID=4590) to the product advisory page instead. Click on the appropriate product and use the instructions on the product page to download the patch.

Galil Advisory

ICS-CERT reports an input validation vulnerability [link added 4-28-13 07:05 CDT] in the Galil RIO-47100 PLC that was reported by Jon Christmas of Solera Networks.

ICS-CERT notes that a moderately skilled attacker could remotely exploit this vulnerability to execute a DoS attack.

A firmware update is available at http://www.galilmc.com/support/firmware-downloads.php and Christmas confirms that it resolves the identified vulnerability. The link in the advisory is good, but it takes you through a ‘You are leaving ICS-CERT’ page which I have always found to be annoying and more than a little mindless. Interestingly the Firmware Release Notes page also explains that the latest release fixes a buffer overflow issue not mentioned in the ICS-CERT advisory.

New Format

As I mentioned earlier, ICS-CERT has changed the format for their Advisories and Alerts. They have gone back and updated earlier alerts (at least through the Clorius Controls Alert from April 1^st. Along with changing from a .PDF to .HTML file format, they have significantly modified the typography and slightly modified the lay out. In my opinion (FWIW) the changes have detracted from the readability of the documents. This is especially true when the document is saved in a .PDF format.

The change in format also removes two fixtures of the reports. The recently added ‘Traffic Light Protocol’ (TLP) markings have been removed from the documents; a good move in my opinion. The product warranty box at the bottom of the first page of the old format has also been removed. This was one of those legal disclaimer things that we are seeing in too many areas of our public lives and the world would be a better place without them.