####################################################################### Title: lazy comments on some advisories released on ICS-CERT Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org Update: 08 Jun 2012 ####################################################################### One of the various disadvantages of the "non or partial" disclosure is that often a bug that deserves nothing (read "non critical" or not even a security bug) takes our attention using the fact that there are no public details about it so it may be anything except if you re-find it by yourself in the vulnerable software (time to waste). Luckily who has a bit of experience in this field can recognize the bugs that "smell" or look not so critical. So I have decided to collect my personal opinions about the advisories released by ICS-CERT regarding industrial/ics/SCADA software: http://www.us-cert.gov/control_systems/ics-cert/ Mine are only some quick and personal thoughts based on the poor amount of information and details available in such advisories. Notes: - I refer only to alerts about claimed vulnerabilities in software (no hardware/PLC for the moment although there is no real difference) - this collection of comments is not something versus ICS-CERT, in their alerts they simply write what the researcher or the vendor told them so if there is something deliberately not clear or overvalued it's not fault of ICS-CERT - this is just a quick document, something like showing what I think about this or that bug... just for fun ####################################################################### ===================================================== ICSA-12-158-01 - Siemens WinCC Multiple Vulnerability ===================================================== http://www.us-cert.gov/control_systems/pdf/ICSA-12-158-01.pdf - CROSS-SITE SCRIPTING reflected xss, so not a bug - XML (XPATH) INJECTION seems interesting but no info about the required privileges and what files can be modified (I mean what "settings") so I suppose it can be exploited by unauthenticated attacker (I hope it's not a refleced xss) - DIRECTORY TRAVERSAL only authenticated attacker so no risk - BUFFER OVERFLOW DiagAgent is not enabled by default and looks like a debugging feature, then there are no details about the buffer-overflow (the CVSS is very low) or where it's located so no real risk - CROSS SITE SCRIPTING another reflected xss so not a bug ======================================================== ICSA-12-138-01 - Emerson DeltaV Multiple Vulnerabilities ======================================================== http://www.us-cert.gov/control_systems/pdf/ICSA-12-138-01.pdf - CROSS-SITE SCRIPTING looks a stored xss (html injection) so may be ok - SQL INJECTION ok - DENIAL OF SERVICE ok - BUFFER OVERFLOW it depends if the project files have a registered extension - FILE MANIPULATION seems ok but it doesn't say if the content of the files is arbitrary or not... it's a big difference because in one case you have a possible annoyance/DoS and in the other you get code execution =========================================================== ICSA-12-145-01 - Measuresoft ScadaPRO dll Hijack Corruption =========================================================== http://www.us-cert.gov/control_systems/pdf/ICSA-12-145-01.pdf - UNCONTROLLED SEARCH PATH ELEMENT not a bug *********************************************************************** Note: from this point I go in alphabetical order because recently ICS-CERT has changed the archive.html section that previously was in chronological order. *********************************************************************** ================================================================ Advantech Studio Test Web Server Buffer Overflow, ICSA-10-337-01 ================================================================ http://www.us-cert.gov/control_systems/pdf/ICSA-10-337-01.pdf - the Test server is just... a test server not active by default, even the vendor says to NOT use it in a production environment, so there is no real scenario ============================================================ Advantech WebAccess Multiple Vulnerabilities, ICSA-12-047-01 ============================================================ http://www.us-cert.gov/control_systems/pdf/ICSA-12-047-01.pdf - Cross-site scripting (XSS) Cross-site report forgery (CSRF) reflectd xss, so not a bug ==================================================== AGG SCADA Viewer OPC Buffer Overflow, ICSA-11-018-01 ==================================================== http://www.us-cert.gov/control_systems/pdf/ICSA-11-018-01.pdf - a stack overflow in a configuration file? not a bug ================================================================================== Automated Solutions OPC Vulnerability (UPDATE), ICSA-10-322-02A (January 21, 2011) ================================================================================== http://www.us-cert.gov/control_systems/pdf/ICSA-10-322-02A.pdf - in short this is not a server-side bug but it works in this way: - the OPC server is a program with a list of fixed IP addresses of PLC devices to contact, it's like a client that connects to different hosts (it listens on no ports) - an attacker MUST own the IP address of the target PLC device in some way - and even if he is able to do it then he can only write data of uncontrollable content in the heap - seems there is also another requirement but it's not much clear in my opinion this type of problem can't be defined a real bug for the moment, it's interesting but the scenario is too weak =========================================== Cogent DataHub XSS and CRLF, ICSA-12-016-01 =========================================== http://www.us-cert.gov/control_systems/pdf/ICSA-12-016-01.pdf - CROSS-SITE SCRIPTING reflectd xss, not a bug - HTTP HEADER INJECTION VULNERABILITY "HTTP response splitting attack" is not a real bug ==================================================================== ING. Punzenberger COPA-DATA GMBH DoS Vulnerabilities, ICSA-12-013-01 ==================================================================== http://www.us-cert.gov/control_systems/pdf/ICSA-12-013-01.pdf - DENIAL OF SERVICE VULNERABILITY 1 / 2 DoS or code execution? it's probably an error in the alert because it looks only a DoS, I don't know why they wrote about possible code execution ============================================================ Ecava IntegraXor ActiveX Directory Traversal, ICSA-12-083-01 ============================================================ http://www.us-cert.gov/control_systems/pdf/ICSA-12-083-01.pdf - perfect example of lack of details: an attacker can magically execute code and manipulate files through the opening ("reading") of a local file (directory traversal, so something on the victim's machine) note that the alert talks about an ActiveX bug (so client-side) but then there are references to Ecava IntegraXor server... if it's possible to create files on the system with arbitrary content via ActiveX why not just writing it "as is" in this way? ============================================================= Ecava IntegraXor DLL Hijacking, ICSA-11-147-01 (May 27, 2011) ============================================================= http://www.us-cert.gov/control_systems/pdf/ICSA-11-147-01.pdf - not a bug ==================================== Ecava IntegraXor XSS, ICSA-11-147-02 ==================================== http://www.us-cert.gov/control_systems/pdf/ICSA-11-147-02.pdf - reflected xss, not a bug ========================================================== GE Proficy Historian Web Administrator XSS, ICSA-11-243-02 ========================================================== http://www.us-cert.gov/control_systems/pdf/ICSA-11-243-02.pdf - reflected xss, not a bug ============================================================ ICONICS GENESIS32 Multiple Memory Corruption, ICSA-11-273-01 ============================================================ http://www.us-cert.gov/control_systems/pdf/ICSA-11-273-01.pdf - do these files have registered extensions? and why they are classified as "memory corruption"? I guess the memory corruption term has been abused here so they may be no security bug at all, just my guess considering the complete absence of details and the generic usage of the "memory corruption" term: you must be really unlucky to find 8 bugs that have all unknown causes and effects, a crash through a file is NOT a bug =================================================== ICONICS Login ActiveX Vulnerability, ICSA-11-182-02 =================================================== http://www.us-cert.gov/control_systems/pdf/ICSA-11-182-02.pdf - if it's an ActiveX bug why the alert talks about "requires creation of a specially crafted password"? an ActiveX is just a function with parameters provided by the attacker so if there is something to "create" it's not an ActiveX bug or do they mean the victim must insert the password by hand? mah, it smells a lot =============================================================================================== Wonderware HMI Reports XSS and Write Access Violation, ICSA-12-039-01 Ocean Data Systems Dream Reports XSS and Write Access Violation Vulnerabilities, ICSA-12-024-01 =============================================================================================== http://www.us-cert.gov/control_systems/pdf/ICSA-12-039-01.pdf http://www.us-cert.gov/control_systems/pdf/ICSA-12-024-01.pdf - CROSS-SITE SCRIPTING reflected xss, not a bug - WRITE ACCESS VIOLATION looks like the file doesn't have a registered extension so there is no real scenario ========================================================== Wonderware InBatch ActiveX Buffer Overflow, ICSA-11-094-01 ========================================================== http://www.us-cert.gov/control_systems/pdf/ICSA-11-094-01.pdf - the alert says that in Wonderware 9.0 (so the most recent version) it results only in a DoS (probably caused by the usage of an exception handler that can't be bypassed)... a DoS in an ActiveX is NOT a vulnerability it's interesting to notice also the first part of the description provided in the "VULNERABILITY OVERVIEW" section because I don't understand if it's a generic and useless introduction or it has something to do with the bug ====================================================================== Wonderware Information Server Multiple Vulnerabilities, ICSA-12-062-01 ====================================================================== http://www.us-cert.gov/control_systems/pdf/ICSA-12-062-01.pdf - CROSS-SITE SCRIPTING looks html injection so ok but then it talks about "social engineering", uhmmm reflected xss? - SQL INJECTION no details about required permissions or authentication so I guess it's unauthenticated (in which case it's ok) - PERMISSIONS, PRIVILEGES, AND ACCESS CONTROLS uhmmm this smells because it has no sense to say that an access issue leads to a DoS, there is something missing or wrong ================================================ Progea Movicon Memory Corruption, ICSA-12-131-01 ================================================ http://www.us-cert.gov/control_systems/pdf/ICSA-12-131-01.pdf - MEMORY CORRUPTION VULNERABILTIY "memory corruption" is not a good term to describe an "out-of-bounds read vulnerability" that causes a DoS. usually memory corruption is used for those chaotic bugs (or those on which has been performed no analysis, wasting time for free is boring) that leave space for a possible write operation or something that can be used for an (even hard) exploitation... something like a 0.1% of possible code execution which is completely different than an invalid memory read access that leads to a 100% DoS ================================================================== Rockwell FactoryTalk Diag Viewer Memory Corruption, ICSA-11-175-01 ================================================================== http://www.us-cert.gov/control_systems/pdf/ICSA-11-175-01.pdf - the alert suggests that the extension of the file is not registered so there is no real scenario =================================== Rockwell RSLinx EDS, ICSA-11-161-01 =================================== http://www.us-cert.gov/control_systems/pdf/ICSA-11-161-01.pdf - as above, no registered extension means no scenario ========================================================================= Safenet Sentinel and 7-T Input Sanitization Vulnerability, ICSA-11-314-01 ========================================================================= http://www.us-cert.gov/control_systems/pdf/ICSA-11-314-01.pdf - how it's possible that an unauthenticated attacker has access to the HASP Admin Control Center and can even inject html data in the configuration file? then why only some browsers are affected? uhmmm too much doubts ================================================================================= CitectSCADA and Mitsubishi MX4 SCADA Batch Server Buffer Overflow, ICSA-11-279-02 ================================================================================= http://www.us-cert.gov/control_systems/pdf/ICSA-11-279-02.pdf - a third party component means the bug is not in the target software however it's often difficult or impossible to understand if a component (like a server program or even a library) is original or is a third party component so... it depends and it's nobody's fault. in this case there is a complete lack of details about this component, it's written only that it's a server. it's even possible that this was a known vulnerability, nobody knows =============================================================== Multiple Vulnerabilities in ClearScada Software, ICSA-10-314-01 =============================================================== http://www.us-cert.gov/control_systems/pdf/ICSA-10-314-01.pdf - HEAP OVERFLOW confusing details and lack of real tech information, "overly long strings following a valid packet" means that not even a minimal analysis has been performed... oh come on - INSECURE WEB AUTHENTICATION not a bug - CROSS-SITE SCRIPTING reflected xss, not a bug ====================================================================================== Schneider Electric Vijeo Historian Web Server Multiple Vulnerabilities, ICSA-11-307-01 ====================================================================================== http://www.us-cert.gov/control_systems/pdf/ICSA-11-307-01.pdf - DENIAL OF SERVICE a Dos in an ActiveX... is this a joke? then that ActiveX is a known third party component - BUFFER OVERFLOW TeeChart is a known third party component - CROSS-SITE SCRIPTING refrected xss, not a bug - DIRECTORY TRAVERSAL it seems ok ===================================================== Sielco Sistemi Winlog Buffer Overflow, ICSA-11-298-01 ===================================================== http://www.us-cert.gov/control_systems/pdf/ICSA-11-298-01.pdf - seems that the file extension is not registered so there is no real scenario ================================================= Siemens WinCC Exploitable Crashes, ICSA-11-175-02 ================================================= http://www.us-cert.gov/control_systems/pdf/ICSA-11-175-02.pdf - Memory Corruption: client side exploit that allows arbitrary code execution. DoS / Null pointer issues: client side exploit. Denial of Service bug versus a client? then it seems that the file has not a registered extension so no scenario in any case ===================================================================== Unitronics UNIOPC Server Input Handling Vulnerability, ICSA-11-279-03 ===================================================================== http://www.us-cert.gov/control_systems/pdf/ICSA-11-279-03.pdf - "IP*Works! SSL" is a known third party library, it's not Unitronics ================================================================= Wellintech KingSCADA Insecure Password Encryption, ICSA-12-129-01 ================================================================= http://www.us-cert.gov/control_systems/pdf/ICSA-12-129-01.pdf - INSECURE PASSWORD ENCRYPTION not a bug ============================================================ WellinTech KingView DLL Hijack Vulnerability, ICSA-12-122-01 ============================================================ http://www.us-cert.gov/control_systems/pdf/ICSA-12-122-01.pdf - UNCONTROLLED SEARCH PATH ELEMENT not a bug ================================================== 7-Technologies Aquis DLL Hijacking, ICSA-12-025-01 ================================================== http://www.us-cert.gov/control_systems/pdf/ICSA-12-025-01.pdf - not a bug ========================================================== 7-Technologies Interactive Graphical SCADA, ICSA-11-353-01 ========================================================== http://www.us-cert.gov/control_systems/pdf/ICSA-11-353-01.pdf - not a bug =================================================== 7-Technologies Termis DLL Hijacking, ICSA-12-025-02 =================================================== http://www.us-cert.gov/control_systems/pdf/ICSA-12-025-02.pdf - not a bug ####################################################################### Note that even the bugs to which I gave my "ok" and those not included in this list may be doubtful bugs. For example if an advisory reports a remote buffer-overflow but the target service listens only on 127.0.0.1 obviously you don't have a bug. If there are no details about authentication or required permissions there is the risk of considering a bug more critical than what it is. If the traffic is in plain-text it can't be defined a security bug (it would be the same if the client and server uses a fixed or predictable key), otherwise the 99% of software and protocols have bugs. And it's not possible to talk about DoS (a non permanent crash) for an ActiveX or any other local/client-side software so code execution MUST be reached with a very high percentage of success or it's not a bug at all. But it's also possible that a doubtful bug instead is a good bug, the lack of details can be a disadvantage for real vulnerabilities. #######################################################################