ICS-CERT Publishes Two Advisories

This morning the DHS ICS-CERT published two control system advisories. They were for systems from Rockwell Automation and MICROSYS.

Rockwell Advisory

This advisory describes a stack-based buffer overflow vulnerability in the Allen-Bradley MicroLogix 1100 PLCs. The vulnerability was reported by David Atch of CyberX. Rockwell has produced a firmware update that mitigates the vulnerability, but there is no indication that Atch has been provided the opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to run arbitrary code on the device.

MICROSYS Advisory

This advisory describes a memory corruption vulnerability in the MICROSYS PROMOTIC application. The vulnerability was reported by Praveen Darshanam of Versa Networks. MICROSYS has produced a new version which mitigates the vulnerability and Darshanam has verified the efficacy of the fix.

ICS-CERT reports that it would be relatively easy to craft a social engineering exploit of this vulnerability. This is the first time that I have seen ICS-CERT that crafting a specific social engineering exploit “would be simple”.

The PROMOTIC update note indicate that the vulnerability exists in the TrendsView ActiveX component.

ICS-CERT Publishes Advantech Advisory

This afternoon the DHS ICS-CERT published an advisory for multiple stack-based buffer overflow vulnerabilities in the Advantech WebAccess application. The vulnerabilities were originally reported by Praveen Darshanam. According to ICS-CERT Advantech is planning on releasing a new version that mitigates the vulnerabilities.

ICS-CERT reports that a relatively unskilled attacker could use publicly available proof of concept code to remotely exploit these vulnerabilities to crash the application or execute arbitrary code.

Darshanam published the vulnerabilities with exploit code for each of the four vulnerable ActiveX components on the SCADASEC list yesterday. He explained the reason for publicly releasing the vulnerabilities this way:

“Vulnerabilities were reported to Advantech sometime in January/February 2015, coordinated through CSOC (Australian Cyber Operations Centre) Security. From April 2015 they has been postponing the fix.”

Once again a company that does not work with a security researcher to fix vulnerabilities in its product finds that the researcher can publicly embarrass them. How long is it going to be before the users of control systems can count on their vendors (all of their vendors) to promptly respond to vulnerabilities identified in their products?