Public ICS Disclosure – Week of 04-28-18

We have one public disclosure of exploit code this week for a previously disclosed Schneider vulnerability. I have also seen some interesting discussions (without any details as they have not yet been disclosed) on the next generation of Spectre vulnerabilities (ingeniously called Spectre NG).

Schneider Exploit

Tenable posted a very short proof of concept exploit to ExploitDB.com for the Schneider InduSoft Web Studio and InTouch Machine Edition. This stack-based buffer overflow vulnerability was reported last month.

Tenable initially reported the vulnerability to Schneider and received credit for that coordinated disclosure in both the ICS-CERT and Schneider advisories. They received a lot more press (see here for example), however, this week when they released the exploit code for a vulnerability that both ICS-CERT and Schneider noted was exploitable by a relatively low-skilled attacker without the aid of a publicly disclosed exploit.

Spectre NG

There has been a number of press reports (see here, here and here for example) about the Spectre NG vulnerabilities in the Intel chips. In what appears to be the initial public reporting of these new chip vulnerabilities, Jürgen Schmidt reported that “eight new security flaws in Intel CPUs have already been reported to the manufacturer by several teams of researchers”.

Jurgen also notes:

“An end to patches for hardware problems of the Spectre category is not in sight. But a never-ending flood of patches is not an acceptable solution. You can't shrug off the fact that the core component of our entire IT infrastructure has a fundamental security problem that will keep leading to more problems.”

This is a legacy issue that will be around for a long time.

Public ICS Disclosures – Week of 02-10-18

This week we have seen an apparently new zero-day reported in an Advantech product, an exploit for a previously released Siemens vulnerability, two new vendor reports from OSIsoft that have not been addressed by ICS-CERT and two vendor reports that were reported late this week that may show up in ICS-CERT advisories.

Advantech Zero-Day

Nassim Asrir reported a remote code execution vulnerability in the Advantech WebAccess product. The report on ExploitDB.com includes exploit code. Asrir reports that an attacker could remotely exploit the vulnerability to execute arbitrary OS commands via a single argument.

Siemens Exploit

M. Can Kurnaz published exploit code on ExploitDB.com this week for a previously published vulnerability in the Siemens SIPROTEC 4 and SIPROTEC Compact product families. ICS-CERT had previously reported that a relatively unskilled attacker could remotely exploit this vulnerability, but this just made it that much easier. A firmware patch was made available almost three years ago to mitigate this vulnerability, so hopefully this exploit will be of no practical use.

OSIsoft Advisories

This week OSIsoft released two new product updates that were specifically listed as ‘security updates’. The two products involved were PI Data Archive 2017 R2 and PI Vision 2017 R2.

There were five ‘issues’ reported in the PI Data Archive alert:

• Privilege escalation;

• Improper handling of serialization or comparison of a variable;

• Improper input validation;

• Authentication protocol flaws; and

• High Availability authentication protocol flaws

The PI Vison alert notes that changes were made in the default configuration of HTTP headers to prevent a cross-site scripting issue and two information disclosure issues.

Possibly Pending on ICS-CERT

We have two vendor reports that were issued on Thursday that may still make it to the ICS-CERT site next week so I will just mention them in passing.

ABB does not generally report their advisories to ICS-CERT, but they updated their Meltdown & Spectre advisory that has been mentioned in ICS-CERT alert on the same topic.

Schneider released a new security advisory listing new products that were affected by one of the previously reported vulnerabilities in their FlexNet Publisher Licensing Service.

Public ICS Disclosure – Week of 10-15-17

We have two publicly disclosed industrial control system product vulnerabilities this week that were not addressed by ICS-CERT; one reported by a security researcher and the other self-reported by the vendor.

HP Vulnerability

On Wednesday Maor Shwartz from SecuriTeam described on FullDisclosure a cross-site scripting vulnerability in the Hewlett Packard Baseline Smart Gig SFP 24 ethernet switch. This product was acquired by HP from 3Com (3Com Baseline Switch 2924 SFP Plus Switch) and is no longer supported, so no fix is forth coming. The SecuriTeam blog provides a proof of concept exploit for the vulnerability.

ABB Vulnerability

On Tuesday Joel Langill, on LinkedIn, pointed out a cybersecurity advisory from ABB on their FOX515T release 1.0 communications equipment. It describes a local file inclusion vulnerability in the embedded web server. This is another out-of-service product with no fix in the works.

Commentary

Joel and I had a brief discussion on LinkedIn about this type of out-of-service vulnerability reporting. I had my typical snarky comment about no one using out-of-service equipment in the ICS realm. Joel had a very interesting reply:

“Like so many of the ICS-CERT advisories. Still wonder why they waste valuable time on disclosures of unsupported equipment. My lab is still a wealth of discovery and exploitation! But I prefer to keep these vulns quiet.”

I have to vigorously disagree with Joel. I think that someone needs to publicize these types of vulnerability reports because so many facilities are actually continuing to use ‘outdated’ control system devices on the ‘if it ain’t broke don’t fix it’ model. Depending on the severity of the vulnerability (and the site-specific risk calculation) the disclosure of these vulnerabilities may be just the ‘it is broke’ incentive that owners need to replace the equipment to avoid the vulnerability. Holding these vulnerabilities in-house (either at a researcher or vendor level) provides little service to owners.

Now, there is a legitimate question if this is an appropriate function for ICS-CERT to perform. I point at them as the default government agency in the control system security realm, but they do not have a specific mandate to do this nor do they have a specific mandate of any kind. They are an agency created out of whole cloth by DHS without specific authorization by Congress. A necessary move, to be sure, but there has been no public discussion of, or political determination of, the specific role of the organization. That really needs to change.

Public ICS Disclosure – Week of 9-25-17

This week Karn Ganeshen provided exploit information on the Full Disclosure web site for vulnerabilities that he had previously coordinated with ICS-CERT. Most of them are relatively simple DLL insertions so there is nothing here that the experienced researcher would not have been able to deduce from the ICS-CERT reports on the vulnerabilities. I include these here since ICS-CERT will not update their advisories to indicate that exploits are publicly available.

The affected products include:

• Schneider Electric Pro-Face WinGP – ICSA-17-215-01;

• Solar Controls WATTConfig M Software - ICSA-17-222-03;

• Solar Controls Heating Control Downloader - ICSA-17-222-02;

• SIMPlight SCADA Software - ICSA-17-222-01;

• SpiderControl SCADA Web Server - ICSA-17-234-03;

• Spider Control SCADA MicroBrowser - ICSA-17-234-02;

• Moxa SoftNVR-IA Live Viewer - ICSA-17-220-02; and

• AzeoTech DAQFactory - ICSA-17-241-01

Public ICS Disclosure – Week of 6-24-17

On Friday Karn Ganeshen described an uncontrolled search path element vulnerability in the Schneider Electric Pro-Face WinGP in a post on SECLISTS.com. The information provided includes a proof-of-concept exploit. There is no information provided indicating any attempts at coordinated disclosure.

Earlier this week Ganeshen also published proof-of-concept exploits for two other Schneider products for which an ICS-CERT advisory had been published; ICSA-17-094-01 and

ICSA-17-138-02.

Public ICS Vulnerability Disclosure – Week of 04-09-17

This week John Page (HYP3RLINX) published three control system security vulnerability reports on the Full Disclosure mailing list; all three reports include proof of concept exploit code. All three of the vulnerabilities were for products from Moxa; two for Moxa MXView (here and here) and one for MX-AOPC UA SERVER (here). Page reports that these were coordinated disclosures and that Moxa has updated firmware to mitigate all three vulnerabilities.

MXView

The two reported vulnerabilities are:

• Remote private key disclosure - CVE-2017-7455; and

• Denial of service - CVE-2017-7456

MX-AOPC UA SERVER

The sole reported vulnerability for this product is an XML external entity injection (CVE-2017-7457) vulnerability.

Public ICS Vulnerability Disclosure – Week of 04-02-17

This week there were three public control system security vulnerability disclosures; two published on the Full Disclosure web site and one on SecurityWeek.com. The affected devices include data loggers, network connection devices and PLCs.

PLCs

On Wednesday Eduard Kovacs published an article about twin vulnerabilities in the Schneider Electric Modicon programmable logic controllers (PLCs) that were reported by Simon Heming, Maik Brüggemann, Hendrik Schwartke, Ralf Spenneberg of OpenSource Security. The reported vulnerabilities were:

• Hardcoded encryption key; and

• Password sent in clear text

Schneider received notification of the vulnerabilities back in December, but some snafu occurred and no action was taken. OpenSource published the vulnerabilities on their web site (here and here) on Tuesday.

NOTE: I tweeted about this vulnerability on Wednesday.

Data Logger

On Thursday Karn Ganeshen announced multiple vulnerabilities in data loggers, meter monitors and electric meters from SenNet. The reported vulnerabilities are:

• No access control on the remote shell;

• Shell services running with excessive privileges;

• OS command injection (with POC); and

• Insecure transport

Ganeshen reported that the vendor has fixed the vulnerabilities and ICS-CERT will be issuing an advisory.

Network Connection Devices

On Thursday Karn Ganeshen announced SNMP vulnerabilities in network communication equipment from Cambium. The reported vulnerabilities are:

• SNMP community strings privileges are not enforced correctly;

• Device configuration backups – access control issues; and

Ganeshen also reports that the Cambium devices are also subject to the following design flaws that magnify the above vulnerabilities:

• It is possible to access full device configuration using SNMP. Device configuration includes usernames, passwords, SSIDs, keys, certificates, syslog config, and other network & wifi specific details.

• It is possible to trigger configuration backups, which can then be retrieved using SNMP.

• It is possible to wipe out and / or make changes to the device configuration remotely.

Ganeshen reports that ICS-CERT was notified on September 12^th, 2016 and on April 5^th Cambium announced that the vulnerabilities would be fixed in 2^nd Quarter 2017.

Public ICS Vulnerability Disclosures – Week of 03-04-17

This week there were two control system vulnerability disclosures on the Full Disclosure web site. The first is for an access control platform and the second is for a laboratory information management system (LIMS) used in medical labs.

Access Control Platform

On Wednesday Andrew Griffiths from the Google Security Team announced multiple vulnerabilities in the Spider access control platform from SICUNET. The vulnerabilities include:

• Outdated software;

• PHP include();

• Unauthenticated remote code execution;

• Hardcoded root credentials; and

• Passwords stored in plaintext

As expected from the Google Security Team, the vendor was notified of the vulnerabilities multiple times, but no reply was received within the standard 90-day disclosure window used by Google.

DNA LIMS

On Thursday Nicholas von Pechmann from Shorebreak Security announced multiple vulnerabilities in the dnaLIMS application from dnaTools. The vulnerabilities include:

• Improperly protected web shell - CVE-2017-6526;

• Unauthenticated Directory Traversal - CVE-2017-6527;

• Insecure Password Storage - CVE-2017-6528;

• Session Hijacking - CVE-2017-6529;

• Cross-site Scripting (2 instances); and

• Improperly Protected Content

The Shorebreak Security Advisory provides proof of concept code for most of these vulnerabilities and reports that they have developed Metasploit modules for many of them.

Shorebreak notified the vendor in November of the vulnerabilities. While dnaTools replied that the application should be kept behind a firewall, there was no indication given to the researchers that there would be any attempt to fix the vulnerabilities. Multiple university laboratories have on-line login pages for this application that are readily found via Google.

Public ICS Vulnerability Disclosures – 10-29-16

This week saw a public disclosure of a control system security vulnerability at the 2016 Industrial Control Systems (ICS) Cyber Security Conference (the old Joe Weiss conference under new management). Indegy CTO Mille Gandelsman presented a talk, “Ghost in the Machine: SCADA Vulnerability Enables Remote Control of ICS Networks”, about a vulnerability in the Schneider UnityPro software platform. This was a coordinated disclosure with Schneider publishing a Security Notification concerning the vulnerability.

Reading the Indegy blog post about this vulnerability and then looking at the Schneider notification, it almost looks like the two organizations are looking at two separate vulnerabilities. Indegy describes the vulnerability consequences this way:

“The vulnerability in Unity Pro allows any user to remotely execute code directly on any computer on which this product is installed, in debug privileges. The vulnerable software tool is present in every control network in the world that uses Schneider-Electric controllers. Regardless of the SCADA/DCS applications in use, if Schneider Electric controllers are deployed, this software will be used on the engineering workstations. This makes this attack relevant across virtually any process controlled by these PLCs. Since Schneider Electric is one of the largest industrial control equipment providers, this vulnerability is a major concern.”

Schneider simply notes: “This vulnerability is made possible when no application program has been loaded in the simulator or when the application program loaded in the simulator is not password protected.”

Schneider has produced a new version of the software that mitigates the vulnerability. They still note that: “It is up to user responsibility to protect his application by a proper password.”

Schneider published their notification on October 14^th and the Indegy presentation was made on October 25^th. ICS-CERT has not yet reported on this vulnerability, though it has been widely reported in the press (see for example here and here).

Public ICS Vulnerability Disclosure – 09-10-16

This week there was one public disclosure of an industrial control system on the Full Disclosure mailing list. Karn Ganeshen reported a number of vulnerabilities in the BINOM3 Electric Power Quality Meter. Karn reports submitting a vulnerability notification to ICS-CERT on May 25^th, 2016, noting that there has been no reply from the Russian vendor to date.

The reported vulnerabilities include:

• Reflected cross-site scripting;

• Stored cross-site scripting;

• Weak credentials;

• Undocumented root account;

• Sensitive information stored in clear text;

• Vulnerable to cross-site request forgery;

• Sensitive data leakage; and

• Access control issues

With their 45-day non-response disclosure policy it seems odd that ICS-CERT has not issued an advisory on this vulnerability.