ICS-CERT has been busy this week. Today they issued two new
control system advisories and updated two Siemens advisories. The new
advisories are for vulnerabilities in Fox DataDiode Proxy Server and the
IOServer application. The two Siemens advisories have already been mentioned
here this week.
Fox Advisory
This advisory
concerns a cross-site request forgery (CSRF) vulnerability in the web administration
interface. It was reported by Tudor Enache of HelpAG in a coordinated
disclosure. A new release has been produced that mitigates the vulnerability,
but there is no mention if the efficacy has been verified by Enache. This
advisory was originally released on the US CERT secure portal on September 26th.
ICS-CERT reports that a two phase social engineering attack
would be required to remotely exploit this vulnerability to conduct a DOS
attack.
IOServer Advisory
This advisory concerns an out of bound read vulnerability reported
by Sistrunk-Crain (ICS-CERT changed up the order of the team name) in a
coordinated disclosure. A new version mitigates the vulnerability and the
efficacy has been verified by Adam Crain.
ICS-CERT reports that a moderately skilled attacker could
remotely exploit this vulnerability to crash the OPC Server application.
There is an interesting comment by ICS-CERT in the
Vulnerability Characterization section of the advisory. They state:
“A vague interpretation of the DNP3
protocol may allow a null header to cause an out of bound read command to
create large numbers of entries in the master in some implementations. This is not a
universal problem for all DNP3 users, vendors or integrators [emphasis
added], but it may occur.”
That plus a reference to a DNP3
Application Note addressing this issue seems to indicate that this is a
problem that might affect other systems. Not that Chris and Adam have ever
found vulnerabilities in DNP3 implementations that affect multiple platforms
(sorry for the low level sarcasm here). As of 9:00 pm CDT this advisory is not
listed on the Project Robus web
site.
Siemens OpenSSL
Update
Well it looks like we are going to need at least update G to
get this correct. Yesterday ICS-CERT
reported that ROX 1 was the only outstanding affected system without an
update; completely missing the APE 1 with eLAN and ROX 2 with eLAN. Well, with
the Siemens
ProductCERT announcement today that the ROX 1 update was now available
ICS-CERT is still failing to report the continuing vulnerabilities in APE 1
with eLAN and ROX 2 with eLAN. Well, maybe tomorrow.
Ruggedcom Certificate
Update
ICS-CERT missed the
earlier announcement that the ROX 2 update was available, but they did catch up today
when Siemens
ProductCERT announced that the ROX 1 update was now available. So far so
good. Unfortunately, ICS-CERT also changed their reporting of the affected
versions of these two devices. It was correct and had not changed in the latest
Siemens report. I know; minor details.
I’m beginning to wonder if anyone at ICS-CERT actually reads
the Siemens alerts. The bigger question is how accurate are the other
vulnerability reports from ICS-CERT, the ones that we can’t check because the
vendor is not as meticulous in reporting their vulnerabilities as is Siemens?
Posts
No comments:
Post a Comment