I was taken to task in a conversation at the OSIsoft User Conference – – why didn’t Digital Bond and others rip into the vendors and ICS-CERT over the response to Luigi and other SCADA security vulnerabilities as in times past?
He went on to explain that the ICS-CERT bulletins basically said don’t let the bad guys get to your systems, and in the past I had blogged critically on that response. True. I don’t have a good defense except just getting tired of writing the same blog entry over and over again, and we were busy with the IDS signatures. But since 36 control system security vulnerability advisories come out last week, let’s look at the responses to the 35 0days one week later.
On the pro side, they had the Luigi bulletins out within 24 hours, which is more responsive than in the past. The argument could be with the mitigation section,
“ICS-CERT recommends that users minimize network exposure for all control system devices. Control system devices should not directly face the Internet.”
This really isn’t mitigation; it is just good security practice. You could say this for any database vuln or a variety of other vulnerabilities. Don’t let the bad guys get to the vulnerable app is not really mitigation. After all if you don’t let the bad guys get to the app then vulnerabilities don’t ever matter. This and other similar information probably doesn’t belong in a mitigation section. That said, there are still too many in the ICS community that need this basic advice.
Here is my suggestion. Leave the mitigation section there and just put None.
Add another section with a title of Good Practices or something better and add this general guidance. The guidance could include the availability of SCADA IDS signatures at this point.
ICS-CERT has proven to be good at two things: coordinating vulnerability disclosure when all parties decide to use their services and publishing already public info after the fact. The later may sound trivial, but many in the ICS community will not follow other sources.
Congratulations to 7-Technologies. They had a security patch out on March 25th, four days after the Luigi Vulnerabilities were released. It was released through the support channels, reasonable approach, and we are only able to assume it fixes all the identified vulnerabilities.
A small nick for the headline “IGSS – ongoing focus on security” and “It should be emphasized that the reported security issue is only relevant if you run IGSS without a firewall.”
Maybe loyal blog readers think I’m being too tough, but I would have preferred a headline of “IGSS Issues Patches for Vulnerabilities and Revises Their SDL”. An ongoing focus on security in this case would have been a review as to how these common programming errors that led to vulnerabilities made it to released code. Then a modification of the SDL to prevent, or at least make much more unlikely, that this would happen again. This review may have taken longer than four days, but that should be the focus for most of these vendors after they issue the security patches.
This vulnerability found by Rubén Santamarta got lost in all the Luigi Auriemma vulnerability disclosures, and it is interesting case study.
From the public record, Rubén went to ICS-CERT and the vendor originally, but the vendor could not or would not confirm the vulnerability. Rubén then released the vulnerability and exploit code.
I could not find any mention of the vulnerability on their site. They had the worst public performance of the affected vendors.
Note: They should redirect the obsolete broadwin.com site.
DATAC / RealFlex
A short bulletin page is available from a link at the bottom of their home page. I called the number on that page for more information.
After a transfer and short delay, a supervisor told me that the vulnerability only affects the demo version. The version that is delivered after sale has “an encryption key” that is not part of the demo version. Purportedly without this encryption key you would not have the ability to connect to the application to run the attack. He was going to work with the team in Ireland to get more information, and I’ll post it when I receive it.
My guess is this is a new feature in version 2.1.11, issued on 14 Feb 2011, because they say this vulnerability “affects version 2.1.10 and older”.
There is no information on a new encryption capability on their site, and encryption likely does not affect the stack vulnerability. It could require an attacker launch the attack from a site with the encryption key or otherwise compromise the encryption.
If accurate, this is important information limiting the impact of the vulnerability. Since it is a very new version upgrade, the advice to customers could be to upgrade to make the vulnerability harder to exploit and wait for a forthcoming patch.
So maybe the biggest issue with DATAC / RealFlex is they need to improve their communication in response to these issues.
A very short response was issued on March 23rd, and they do deserve the same treatment that other vendors have gotten for only saying, “ICONICS recommends that control system devices and servers should not directly face the Internet and should be located behind secure firewalls. If remote access is required, secure methods, such as Virtual Private Networks (VPNs) should be employed.”.
So we are a week later – have they confirmed the vulnerabilities? Do they have a plan and schedule to release security patches? Have they issued any other mitigation measures, such as SCADA IDS signatures that could also be used at the perimeter in an IPS mode?
According to the short response, “ICONICS takes this alert very seriously and in cooperation with US-CERT is investigating the issues raised in the alert, as well as whether any further action is required.” They should know by now whether any further action is required.
This is not the first ICONICS vulnerability, and they should have a better method for dealing with vulns.
As mentioned before in the blog, FactoryLink is an old product that was classified as mature in July 2007 and pulled from sale in October 2012. They are trying to get customers to migrate to WinCC. Given the age of the product, it may not make sense to bother trying to develop patches. It came from an era before security was an issue and is likely irreparable.
That said, Siemens should at least notify customers and have a position on what they will do. There was no information on the automation.siemens.com site that had the WinCC/Stuxnet updates.
So one week later it is a mostly negative, mixed bag of responses. 7-Technologies had the best public response, and DATAC/RealFlex had the best response that unfortunately never made it out to the public.
Image by debaird