The Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team, or ICS-CERT, issued security advisories on Tuesday, addressing vulnerabilities in three ICS technologies from Eaton Lighting Systems, Pro-face and Rockwell Automation, respectively.
As they are all different in nature, the vulnerabilities do not seem to be indicative of any larger trend. However, the quick succession of these announcements does serve to underscore the importance of shoring up ICSs, especially those that manage and operate critical infrastructure. Indeed, the Pro-face and Rockwell technologies named in DHS's advisories are deployed in commercial, critical manufacturing, energy and water treatment facilities, while the Eaton product in question is used worldwide in residential applications.
Unique among the advisories is an access violation memory error in Rockwell Automation's Integration Architecture Builder (IAB), an application used to configure Logix-based automation systems in ICSs. Discovered by Nullcode Team researcher Ivan Sanchez, the flaw, if exploited with a maliciously altered project file, could “allow the execution of unknown code on the affected computer. If successful, such unknown code will run at the same privilege as the user who is logged into the machine,” the DHS advisory explains.
Although this particular vulnerability can only be exploited locally, it is nonetheless a dangerous flaw because the people using Rockwell's IAB application are often third-party contracted engineers who travel to various critical work sites, helping organizations configure their systems. “The idea of having access to a roaming engineer's laptop — it's a highly desirable target,” Eric Cornelius, managing director of critical infrastructure and ICS at Cylance, and the former deputy director and chief technical analyst at DHS ICS-CERT, told SCMagazine.com.
Rockwell updated its software to fix the vulnerability, and also recommends not opening any “untrusted” IAM project files, especially with the extension .exe, and also to run all software with only basic user privileges, and not as an administrator.
"The company took rapid steps to respond to this vulnerability and has offered a new software release that is available," said a written company statement from Rockwell. "We encourage our customers to remain vigilant as technology continues to evolve. As an industrial security leader, Rockwell Automation is committed to rapidly responding to new and ongoing security threats."
The other two vulnerabilities are also worrisome, as they can both be remotely exploited, in some cases without any user interaction.
Zero Day Initiative discovered an information disclosure vulnerability and two buffer overflow vulnerabilities in multiple versions of Pro-face's GP-Pro EX human machine interface (HMI) software, which bad actors can exploit to execute arbitrary code. Meanwhile, independent researcher Jeremy Brown identified a hard-coded credentials issue in the FTP server, which can allow an unauthorized user to remotely gain access to projects on the attacked device. Pro-face has release an updated module to mitigate the vulnerability.
Finally, independent researcher Maxim Rupp is credited with finding authentication bypass vulnerabilities in the Eaton Lighting Systems EG2 Web Control application, versions 4.04P and prior. The advisory warned that attackers could remotely exploit these vulnerabilities “to perform operations allowing the EG2 connection to configure the system via the Internet rather than by connecting directly into the network.”
In response, Eaton has produced a firmware patch to fix the flaw, but it will also be removing the EG2 web control functionality from future devices.
Mark Horner, senior manager, global communications at Eaton, told SCMagazine.com in an email that Eaton has its own cybersecurity team that works closely with ICS-CERT and also "provides customers with real-time access to information on best practices to deploy Eaton products in their networks, authoritative information on current cyber threats and the steps required to help ensure that Eaton products installed on their networks are not affected."
Cornelius from Cylance told SCMagazine.com that these advisories serve as a reminder that it is necessary for owners and operators of ICS technology, especially in critical infrastructure sectors, to “exercise good network segmentation and defense in depth principles.”
UPDATE 4/11: This article was updated to include a statement from Eaton Lighting Systems.
