The mass of vulnerabilities and related proof-of-concept exploit code released by Luigi Auriemma were a new event and test to the ICS world. Let’s take a look at the progress one month later – – and it is good news.
First, my prediction that Siemens would not patch FactoryLink because it was an end-of-life product, being replaced by WinCC, was dead wrong. Siemens issued patches and configuration change guidance to address the vulnerabilities. Getting this done within a month is impressive, and much shorter than the usual security patch cycle in the ICS space.
DATAC / RealFlex
The issue from the start with this vendor has been communication. We broke the news that the commercial version included encryption that was not available in the free download version, but could not get confirmation from the vendor. Then ICS-CERT issues a bulletin that the commercial version is not affected by the vulnerability, yet the vendor issued upgrades for both the commercial and free download version. The best we can ascertain at this point is the vulnerability was in both versions, but it was harder to exploit in the commercial version because of the encryption.
Loyal blog readers may be wondering why this is still an issue. Customers need accurate information to decide whether to upgrade or not. If the previous commercial version has or does not have this vulnerability is an important factor in the upgrade decision.
The good news is that new versions addressing the vulnerability were issued on April 7, again less than a month from the disclosure.
Another success story with security updates being issued in less than a month is Iconics. The vendor even went the extra step of providing a short white paper that discusses the vulnerabilities and security updates.
There is still some confusion on the Directory Traversal Vulnerability related to the SafeNet Sentinel License Monitor service, and we have gotten conflicting information from sources. The key point is whether the known vulnerabilities in that version of the SafeNet service were exploited or if this was a new Directory Traversal Vulnerability in that service.
This vendor had security patches out four days after the vulnerabilities and exploit code was released.
- Faster Security Updates – Four different vendors, with varying profiles, released security updates within a month. This is an unprecedented speed in response. A conclusion to draw from this is the release of 0day vulnerability and exploit code dramatically improves the fixing of security problems. Of course this also leaves owner/operators exposed for the time of the disclosure until the time the security update is applied. This then goes down the disclosure debate trail where most people have already a hardened position, so I’ll avoid trying to determine whether this is good or bad here.
- Vendor Communication Needs Improvement – As highlighted above and also providing updates confirming the vulnerability, security updates being developed, precise nature of the vulnerabilities, affected products, etc. Also the vendors should be following the FIRST guidelines on vulnerability handling with dedicated security email and security web pages.
- ICS-CERT Timely Bulletins – ICS-CERT filled the coordinator role well in this case with timely bulletins. Any small problems here are likely attributed to the information they were getting from the vendors.
Image by warrenski