Saga may be overstated since the process did not take that long, but it was a classic example of why we don’t agree with leaving disclosure decisions up to the vendor – – or the researcher. Our approach is to let a coordination center, US-CERT in this case, determine what disclosure is appropriate.
On April 17th Xavier Panadero of Neutralbit contacted Wonderware about the InTouch 8.0 vulnerability. After some back and forth, Wonderware indicated in June that the vulnerability was not present in InTouch 9.0 and Xavi was able to verify this. So far, so good. A solution to remove the vulnerability and a reasonably prompt vendor response by disclosure standards. Then the problems began.
What was Wonderware going to do to notify InTouch 8.0 customers of the vulnerability and the fix?
After all, InTouch 8.0 is still being sold to existing users through the end of the year. Given the long lifecycle of control system devices and applications there will likely be 8.0 systems for at least another five years.
Wonderware’s answer was fuzzy. They sent out a very large whitepaper “Securing Industrial Control Systems” and implied that customers needed to read this to fix the vulnerability. The whitepaper did not address the vulnerability. They mentioned customers with support contracts could upgrade to 9.0. They said the product is just a “toolbox”, and it is impossible for them to control how customers use the product. Still no answer to the question of whether Wonderware had told their customers or planned on telling their customers.
At this point Xavi asked for our assistance in working the issue with Wonderware and US-CERT if appropriate. I contacted Wonderware and got the same answer, and they felt the case was closed. It was only when I told them this vulnerability was being reported to US-CERT and we wer just trying to be accurate on their disclosure to date that the tenor changed.
To the best of my knowledge, prior to our disclosure to US-CERT Wonderware had not disclosed, nor did they intend to disclose, the vulnerability. Not even on their limited accss support site. I checked with friends who had access to this site, and they found no notice. After all, it was fixed in 9.0.
This is a classic example of the silent fix. An asset owner does not have the information to determine if they should upgrade or not. They may decide the features do not warrant an upgrade, but if the security issue was disclosed they may reach a different decision. The risk is the asset owners so they need the information to make a decision.
We can argue how much information should be disclosed, by whom and to whom, but I think almost all would agree that customers should be notified in at least a vague way of a serious security problem with an existing solution.
The question I have is how many other security vulnerabilities is Wonderware sitting on?
And this may be quite petty, but in the last hour of the last day at WeissCon a Wonderware employee stood up twice and said if you need secure systems they had it. Problem has been solved. If it had not been so late in a long three day event I think many in the room, including myself, would have jumped on it. Not because of any one vulnerability, but because it showed a lack of understanding of security.
Wonderware has published a public announcement and a private tech note. The public announcement downplays the vulnerability saying “The presence of the share can cause some confusion or concern as related to NetDDE security. The share name appears in a security scan of the computer, even if the share is not usable.” I have seen the exploit from Xavi, and he has compromised systems in his lab with the default install.
It seems that Wonderware still does not get it. Software has bugs and some are going to lead to vulnerabilities. When one is found you deal with it honestly and encourage your customers to apply the patch. I really wonder what the private technical note says.
After all that bashing, let me say Wonderware is not alone and is in many ways better than numerous control system vendors. The majority of the vulnerabilities we identify are in assessments where we are restricted by NDA. All too often the vendor responds with a yes you are correct, and either a sizable engineering fee to fix their mistake or a polite way of saying it will not be fixed. At least Wonderware had a fix, and they do emphasize putting security features in their product.
We continue to push our clients to disclose vulnerabilities to US-CERT and their user groups to put more pressure on the vendors to fix the problems.