Public ICS Disclosures – Week of 06-16-18

This week we have a vendor disclosed vulnerability from ABB, a third-party vulnerability disclosed by Rockwell and an update on a WannaCry advisory from Siemens.

ABB Vulnerability

ABB published an advisory for a DLL hijacking vulnerability in their  Pluto Manager. The vulnerability was reported by Herman Groeneveld. ABB has a new version that mitigates the vulnerability. There is no indication that Groeneveld has been provided an opportunity to verify the efficacy of the fix.

ABB reports that a social engineering attack would be required to get an authorized user to load a malicious DLL. A successful exploit would allow the attacker to run malicious code.

Rockwell 3^rd Party Vulnerabilities

Rockwell published an advisory for vulnerabilities in their Allen-Bradley® Stratix® 5950 Security Appliance due to five reported vulnerabilities in the Cisco Adaptive Security Appliance (ASA) Software. Rockwell has provided a set of work arounds for one of the vulnerabilities and a link to the Cisco SNORT for another. No mitigations are currently available for the other three. Future software updates are planned.

The five reported vulnerabilities are:

• Flow Creation Denial of Service Vulnerability - CVE-2018-0228;

• Virtual Private Network SSL Client Certificate Bypass Vulnerability - CVE-2018-0227;

• Transport Layer Security Denial of Service Vulnerability - CVE-2018-0231;

• Application Layer Protocol Inspection Denial of Service Vulnerabilities - CVE-2018-0240; and

• Web Services Denial of Service - CVE-2018-0296

As will all 3^rd party vulnerability reports, the open question is how many other ICS vendors are using the Cisco ASA software?

Siemens WannaCry Update

Siemens updated their advisory for the WannaCry vulnerability in their Molecular Diagnostics

Products from Siemens Healthineers. The original advisory was linked to in the 3^rd update to the ICS-CERT WannaCry Alert in May of last year. The update notes that “Healthineers customer service engineers have been deploying fixes to affected systems”.

Depressing News

Any time that I start to feel hopeful about issues related to control system cybersecurity (I am an optimist by nature) I go to the Zero Day Initiative web site and look at the list of ‘Upcoming Advisories’ curated by that organization. The number of control system names in the vendor column is daunting to say the least.

Public ICS Disclosures – Week of 2-24-18

We have two new vendor security advisories this week from Schneider and Siemens. Siemens also published an update to their ultrasound products notice for the WannaCry vulnerability. I mentioned the Siemens advisory and update in passing earlier this week.

Schneider Advisory

This advisory describes 11 vulnerabilities in the Pelco Sarix Professional fixed IP video surveillance cameras. The vulnerabilities were variously reported by Deng Yongkai of NSFOCUS Security Team, Melih Berk Eksioglu of Biznet Bilisim A.S., and Gjoko Krstic of Zero Science Labs. Schneider has a new firmware version that mitigates the vulnerabilities. There is no indication that any of the researchers have been provided an opportunity to verify the efficacy of the fix.

The reported vulnerabilities include:

• Information disclosure - CVE-2018-7227;

• Authentication bypass (3) - CVE-2018-7228, CVE-2018-7229, and CVE-2018-7236;

• XML external entity vulnerability - CVE-2018-7230;

• Command execution vulnerability (4) - CVE-2018-7231, CVE-2018-7232, CVE-2018-7233, and CVE-2018-7235;

• Arbitrary file download - CVE-2018-7234; and

• Arbitrary file delete - CVE-2018-7237

ICS-CERT has published some surveillance camera security advisories, but it has been hit and miss. My coverage here has also been hit and miss since I lost (paid) access to the IPVM web site; they are certainly the best information source for vulnerability information (and lots of other information) on video systems. Since Schneider owns Pelco, there will be specific coverage in these weekly posts as appropriate since Schneider publishes a list of advisories as they are issued. That does not mean that other video systems are vulnerability free, just that I have not seen their reports.

Siemens Advisory

This advisory describes 8 vulnerabilities in the Siemens SIMATIC industrial PCs. The vulnerabilities are due to the presence of one or more of three Intel products in the PCs; Intel reported on these vulnerabilities back in November, 2017. Siemens has identified a generic work around for the vulnerabilities and there is no indication that further mitigations are in the works.

The reported vulnerabilities include:

• Buffer overflow (5) - CVE-2017-5705, CVE-2017-5706, CVE-2017-5707, CVE-2017-5711, and CVE-2017-5712; and

• Privilege escalation (3) - CVE-2017-5708, y CVE-2017-5709, and CVE-2017-5710;

The underlying Intel problems are wide spread and relatively serious. The Siemens advisory does not comment on the Intel mitigation measures (required dual firmware and software updates) nor the Intel detection tool. I wonder if they are still checking to see if those mitigations are compatible with their products or whether they are working on updates that will work with the Intel mitigation measures. It is not like Siemens not to provide this type of information.

Siemens Update

This update describes new mitigation information for the WannaCry vulnerability in the Siemens Healthineers ultrasound products. Technically, this update was included (but certainly not mentioned) in the latest ICS-CERT update of their WannaCry Alert (dated June 13^th, 2017) since the link for this product line automatically takes one to the latest version.

ICS-CERT Publishes WannaCry Update (#9)

Today the DHS ICS-CERT published their first WannaCry update in almost two weeks. The last update was published on May 31^st for the alert that was originally published on May 15^th, 2017. The update includes a link to new vendor information and a link to the update in the STYX format, a machine readable format for sharing cyber threat information.

The new vendor information comes from Johnson & Johnson. The Update provides a link to a new ‘Security Advisories’ page which contains links to two product advisories; Certus®140 System, and Carto®3 System. No really new information is available in either document.

ICS-CERT kept the original Johnson & Johnson link in the Update. Unfortunately, that link now has nothing to do with WannaCry. All mention was removed leaving it just a generic cybersecurity disclosure reporting page. That link probably should have been removed from the Update.

ICS-CERT did miss reporting on Siemens WannaCry updates for a number of their products, including (thanks to the Siemens ProductCERT for their tweets):

• Ultrasound products, published June 1st;

• Mammography products, published June 1^st;

• Multimodality Workplace products, published June 1^st;

• Siemens Healthineer products, published June 1^st; and

• Advanced Therapy products, published June 9^th.

These were just mainly product update reporting.

BTW: I half expected to see an ICS-CERT alert on CrashOverride today since US-CERT came out with their alert today. I’m still reading the Dragos paper but it sounds interesting. More to come, I’m sure.

Committee Hearings – Week of 06-11-17

This week with both the House and Senate in session the FY 2018 budget is still the big deal in congressional hearings. There are also three other hearings that may be of specific interest to readers of this blog; DHS authorization and cybersecurity

Budget

Because of having to deal with the FY 2017 spending bill earlier this year, Congress is behind in the budgeting/spending process. Hearings this week will be looking at the department budgets. These are high-level discussions of the President’s spending plan; don’t expect much in the way of details.

Hearings of potential interest to readers of this blog include:

• Monday, House, DOD, Armed Services Committee;

• Tuesday, Senate, DOD, Armed Services Committee;

• Wednesday, House, DOT, Appropriations Committee – Subcommittee;

• Wednesday, Senate, DOD, Appropriations Committee – Subcommittee;

• Thursday, House, DOD, Appropriations Committee – Subcommittee;

• Thursday, House, DOT, Appropriations Committee – Subcommittee;

• Thursday, House, EPA, Appropriations Committee – Subcommittee;

DHS Authorization

As I mentioned earlier today, the House Homeland Security Committee will be holding a markup hearing Wednesday on HR 2825, the FY 2018 DHS Authorization Act. There is already a link to the substitute language that the Committee will markup. I expect that we will see additional amendments posted to the site tomorrow afternoon.

Cybersecurity

There will be two cybersecurity related hearings this week. One will look at IOT opportunities and challenges and the other will look at WannaCry.

Tuesday the Digital Commerce and Consumer Protection Subcommittee of the House Energy and Commerce Committee will hold a hearing looking at “Disrupter Series: Update on IOT Opportunities and Challenges”. The witness list includes:

• Mark Bachman, Integra Devices

• Gary D. Butler, Camgian Microsystems Corporation

• Cameron Javdani, Louroe Electronics

• Peter B. Kosak, General Motors North America

• Bill Kuhns, Vermont Energy Control Systems LLC

• William S. Marras, the Spine Research Institute

On Thursday the Oversight Subcommittee and the Research and Technology Subcommittee of the House Science, Space, and Technology Committee will hold a joint hearing on “Bolstering the Government’s Cybersecurity: Lessons Learned from WannaCry”. The witness list includes:

• Salim Neino, Kryptos Logic

• Charles H. Romine, National Institute of Standards and Technology

• Hugh Thompson, Symantec

• Gregory J. Touhill, Carnegie Mellon University

Sigh – ICS-CERT Updates WannaCry Alert Again (#8)

Today the DHS ICS-CERT published another update to their WannaCry Alert that was originally published on May 15^th. There is no new information specifically from ICS-CERT, but links are provided to information from four new vendors:

• Beckman Coulter (multiple products);

• Samsung (generic);

• Toshiba (generic); and

• Toshiba Medical Systems (generic).

Beckman takes a very detailed approach, but one that is significantly different than the one Siemens has used. They start off by providing a single web page that is the source of information about each of their product lines. Then they classify each product into specific and limited categories:

• Not a Microsoft OS – no problem;

• Microsoft patch has already been deployed by Beckman;

• Neither patch nor WannaCry is applicable to the version of Windows® used;

• Products where hardware firewall is recommended;

• Products where detailed specific recommendations are provided; and

• Oops, we don’t know yet; wait for more information.

Each time Beckman identifies a product as a firewall candidate, they include a link to an interesting article about firewall protections against WannaCry by the NH-ISAC. The Q&A at the end of that brief article is particularly well done. I am surprised that ICS-CERT has not included that link in this Alert.

ICS-CERT Updates WannaCry Again (#7)

Today the DHS ICS-CERT published yet another update (#7) to their WannaCry Alert that was originally published on May 15^th. While the previous updates just generally added links to vendor reports on affected products this one provides new information about the expansion of the number of malware that exploit the same Windows® SMB vulnerability used by WannaCry. It also continues to add new links to new and updated vendor information

More Malware

This update provides a very brief discussion about three additional malware examples that use the same Windows vulnerability. Those malware are:

• UIWIX ransomware;

• Adylkuzz Trojan; and

• EternalRocks worm

New Vendor Links

The update provides links to a new vendor information product from Johnson Controls. Additionally, links are provided to updated information products from Siemens (Computed Tomography Products, Magnetic Resonance Products, and Biograph mMR). No really new information in any of these documents.

ICS-CERT Updates WannaCry Again (#6)

Yesterday the DHS ICS-CERT provided their 6^th update to their WannaCry Alert that was originally published on May 15^th and last updated on May 22^nd. They added links to vendor advisories from:

• Spacelabs Healthcare; and

• Dräger

Both of these vendor advisories make an important note of one of those problems that have not generally been mentioned in the WannaCry debate; control system compatibility with operating system updates. Both vendors specifically state that they have verified the operation of the their Windows® based products with the March MS update that dealt with the SMB vulnerability that underlies the WannaCry attack.

I did a more lengthy post on this issue back in January of 2012 and it is something that all ICS owners should be aware of. Automatic updating of the OS on the machine upon which the industrial control system resides is not necessarily a good thing. Add to that the cases where the ICS is so intertwined with the MS-OS that the vendor has to issue their own patch (see the Spacelabs discussion about their XTR 96280) to implement the MS fix. This results in an additional delay between the identification of the problem and the time that the device owner has any chance of fixing it.

Just one more problem with implementing security on industrial (and medical, and ….) control systems.

ICS-CERT Updates WannaCry Alert Again (#4)

For the fourth day in a row the DHS ICS-CERT updated their alert for the WannaCry ransomware. It was originally published on Monday and the latest update was yesterday. Today’s update adds links to WannaCry notifications from the following vendors:

• Siemens (Radiation Oncology Products; Biograph mMR; Point-of-Care Products; and  Advanced Therapy Products);

• Tridium; and

• Emmerson DeltaV

The update also provides a link to a general WannaCry support document from Siemens Healthineers. This document and a further linked Siemens’ blog post provides a good technical discussion of the WannaCry problem and solutions; including links to Microsoft updates for ‘unsupported’ (outdated?) Windows operating systems still in use by Siemens Healthineer (and too many other industrial control) products.

ICS-CERT Updates WannaCry Alert, Updates 2 Advisories and Publishes 2

Yesterday the DHS ICS-CERT published another update of their WannaCry ransomware alert, updates for two advisories, and published new advisories for products from Schneider Electric and Miele Professional. They also published a notice about the date of the Fall 2017 ICSJWG meeting in Pittsburg, PA on September 12-14, 2017.

WannaCry Update

This update provides new information on the alert published on May 15^th and updated on May 16^th and again on May 17^th. Unfortunately, I missed yesterday’s update so I will list both sets of changes at one time. The new information includes WannaCry advisories from the following vendors:

• Siemens (Multi-Modality Workplace (MMWP) products; Magnetic Resonance Products; Laboratory Diagnostics products; Computed Tomography products; Radiography, Mobile X-ray and Mammography products; Molecular Diagnostics products; and Molecular Imaging products) (NOTE: the language is nearly identical on all 8 Siemens advisories);

• General Electric;

• Phillips (general security web page, scroll down to WannaCry article);

• Smiths Medical;

• Johnson & Johnson (general security web page, scroll down to WannaCry article); and

• Medtronic

GE Proficy Update

This update provides new information on the advisory originally published on January 17^th, 2017 and updated on January 24^th. The update provides links to updates for the following products:

• GE has released new versions of the Historian software, Version 6.0 SIM 9 (Standard and Enterprise);

• GE has released a new version of the Historian software, Version 5.5 SIM 37;

• GE has released a new version of the CIMPLICITY software, Version 8.2 SIM 49; and

• GE has released a new version of the CIMPLICITY software, Version 9.0 SIM 22

NOTE: The contact information for receiving CIMPLICITY v9.5 and Historian v7.0 have inexplicably been removed from this update. GE still recommends updating to these versions.

GE Multilin Update

This update provides new information on the advisory originally published on April 27^th, 2017. The update adds two new affected product lines to the advisory:

• Universal Relay, firmware Version 6.0 and prior versions, and

• URplus (D90, C90, B95), all versions.

Update information is provided for the Universal Relay products. GE expects to release the URplus firmware updates in July. The 369 Motor Protection Relay firmware update is still expected to be released next month.

Schneider Advisory

This advisory describes an incorrect default permissions vulnerability in the Schneider Wonderware InduSoft Web Studio. The vulnerability was reported by Karn Ganeshen. Schneider has released a new service pack to address the vulnerability. There is no indication that Ganeshen has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker with authorized access could exploit this vulnerability to escalate his or her privileges. The Schneider Security Notification expands that to state:

“The directory and files are added to system's PATH. Therefore, they can be manipulated by non-administrator users to write malicious files/DLLs and escalate privileges once these are executed.”

Miele Advisory

This advisory describes a path traversal vulnerability in the in the Miele Professional PG 8528, a large capacity cleaner and disinfector used in hospitals and laboratory settings. This advisory provides updated information on the ICS-CERT alert on this vulnerability reported on March 30^th, 2017. ICS-CERT still does not provide a link to the public disclosure by Jens Regel. Miele has provided software updates to mitigate the vulnerability. There is no indication that Regel has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely use the publicly available exploits to read or modify sensitive data or files, execute unauthorized code or commands, and possibly cause a system crash.

ICS-CERT Updates WannaCry Alert and Publishes 4 Advisories

Yesterday the DHS ICS-CERT updated their earlier alert on the WannaCry ransomware. They also published four control system security advisories for products from Schneider Electric (2), Hanwha Techwin, and Detcon.

WannaCry Update

This update provides additional information on the alert that was issued yesterday. The new information includes:

• Links to two new vendor advisories from ABB and Siemens; and

• Links to some generic information (here and here) from the FDA on medical device security.

Siemens makes an important point about medical device cybersecurity:

“We would like to point out that neither the use of an email client nor browsing the internet is part of the intended use of most of the product types covered by this Siemens Security Bulletin.”

The ABB document does mention restricting SMB protocol use but stops short of recommending disabling the protocol as suggested by Microsoft. They do note:

“This will help to prevent spreading of the WannaCry malware from individual compromised computers. For specific guidance please see additional communication for specific ABB solutions and contact your local ABB service organization.”

NOTE: The US-CERT also updated their alert for this malware.

Schneider VAMPSET Advisory

This advisory describes an improper input validation vulnerability in the Schneider VAMPSET tool. The vulnerability was reported by Kushal Arvind Shah from Fortinet's Fortiguard Labs. Schneider has produced a new firmware version to mitigate the vulnerability. There is no indication that Shah has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker with local access could exploit the vulnerability to cause the software to enter a denial-of-service condition. The Schneider Security Notification reports that vulnerability has no effect on the operation of the protection relay to

which VAMPSET is connected.

Techwin Advisory

This advisory describes an improper access control vulnerability in the Hanwha Techwin SRN-4000 network video management platform. The vulnerability was reported by Can Demirel and Faruk Unal of Biznet Bilisim. Techwin reports that a newer version mitigates the vulnerability. ICS-CERT reports that the researchers have verified the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to allow the attacker remote access to the web management portal with admin privileges without authentication.

Schneider SoMachine Advisory

This advisory describes two vulnerabilities in the Schneider SoMachine HVAC software. The vulnerabilities were separately reported by Zhou YU and Himanshu Mehta. Schneider reports that a newer version mitigates the vulnerability. There is no indication that either researcher has been provided the opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2017-7965; and

• Uncontrolled search path element - CVE-2017-7966

ICS-CERT reports that a relatively unskilled attacker (no access characterization) could exploit the vulnerability to allow arbitrary code execution and could cause the device that the attacker is accessing to crash due to a buffer overflow condition.

NOTE: The Schneider Security Notification only addresses the buffer overflow vulnerability.

Detcon Advisory

This advisory describes two vulnerabilities in the Detcon SiteWatch Gateway. The vulnerabilities were reported by Maxim Rupp. ICS-CERT reports that Detcon no longer owns or services the SiteWatch Gateway product, but it attempting to notify customers of the vulnerabilities.

The two reported vulnerabilities are:

• Improper authentication - CVE-2017-6049; and

• Plaintext storage of passwords - CVE-2017-6047

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to allow remote code execution. An attacker who exploits these vulnerabilities may be able to change settings on the affected product or obtain user passwords.

ICS-CERT Publishes WannaCry Alert

Yesterday the DHS ICS-CERT published a control system security alert for the WannaCry ransomware. This alert is a follow-up to the US-CERT alert on the same attack vector. The alert provides links to three vendor sites providing information about indicators of attacks on their Microsoft Windows® based control system products. Those vendors (and their WannaCry links) are:

• Rockwell Automation (log on required);

• Becton Dickenson and Company (BD); and

• Schneider Electric

Both the Schneider and BD advisories emphasize that while medical and industrial control systems have been affected this is a Microsoft Windows based ransomware attack. They both recommend ensuring that Microsoft patch for the MS17-010 SMB vulnerability be applied to all Windows based machines (including Windows XP and Windows 8). Interesting that neither vendor alerts nor the ICS-CERT alert discusses the Microsoft suggestion to turn of the SMB file sharing tool.

ICS-CERT expects to update this alert with additional vendor information when it becomes available.