Posts Tagged ‘HMI’
Wednesday, April 3, 2013 @ 12:04 PM gHale
Two reports regarding vulnerabilities for Clorius Controls and for Mitsubishi released this week to the public without mitigations from the suppliers, which means users need to remain extra vigilant, according to reports with ICS-CERT.
The first release was for a remotely exploitable vulnerability affecting the Clorius Controls ICS SCADA product that allows for an information disclosure that can lead to a loss of confidentiality.
The vulnerability found the device hosts a web service that reveals fingerprint information. This report released without coordination with either the vendor or ICS-CERT.
ICS-CERT attempted to notify the affected vendor of the report to confirm the vulnerability and identify mitigations. ICS-CERT issued an alert to provide early notice of the report and identify baseline mitigations for reducing risks to these and other cyber security attacks.
Meanwhile, another report released without coordination for a remotely exploitable heap-based buffer overflow vulnerability with proof-of-concept (PoC) exploit code affecting Mitsubishi MX, a supervisory control and data acquisition/human-machine interface (SCADA/HMI) product. The vulnerability could lead to remote code execution.
According to this report, the vulnerability is exploitable when an attacker provides specially crafted input. ICS-CERT notified the vendor and has asked the vendor to confirm the vulnerability and identify mitigations.
According to the Mitsubishi Automation Web site, MX links Mitsubishi PLCs with PCs running Microsoft Windows via serial, Ethernet, or other connections.
Click here for more details on this report.
Friday, March 8, 2013 @ 05:03 PM gHale
Indusoft created a fix that mitigates a directory traversal vulnerability in Indusoft Studio and Advantech Studio applications, according to a report on ICS-CERT.
Indusoft originally produced this product that ended up rebranded to Advantech Studio (both products share the vulnerability).
This remotely exploitable vulnerability — discovered by independent researcher Nin3 who released proof-of-concept (PoC) exploit code without coordination with ICS-CERT, the vendor, or any other coordinating entity known to ICS-CERT – has publicly available attacks targeting this vulnerability.
The following product versions suffer from the issue:
• Advantech Studio V7.0 and previous
• Indusoft Studio V7.0 and previous
Successful exploitation of this vulnerability could allow an attacker to download arbitrary files from the target system.
Indusoft designed and maintains Advantech Studio, which is a collection of automation tools that includes components required to develop human-machine interfaces (HMIs) and supervisory control and data acquisition (SCADA) system applications that run on various Windows platforms.
According to Advantech, Advantech Studio currently sees use at nearly 2,000 installations worldwide. Advantech Studio is in a variety of applications including energy, building automation, water and wastewater management, and manufacturing.
InduSoft products often integrate in as third-party components in other vendors’ products. Indusoft is a U.S.-based company that sells through distributors worldwide.
Advantech Studio contains a flaw in the CreateFileW function of the sub_401A90 routine in the NTWebServer.exe file. The issue occurs when handling an absolute path request, which may allow a remote attacker to gain access to arbitrary files.
CVE-2013-1627 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.
An attacker with a low skill would be able to exploit this vulnerability.
Indusoft created a hotfix for this vulnerability. In order to install the hotfix, customers should send a request to firstname.lastname@example.org. Indusoft will send the installation files and assist the customer through the installation process.
Monday, January 21, 2013 @ 01:01 PM gHale
Schneider Electric issued a patch for a buffer overflow vulnerability in its Interactive Graphical SCADA System (IGSS) application, according to a report on ICS-CERT.
All versions of the IGSS application suffer from the remotely exploitable vulnerability which Aaron Portnoy, researcher at Exodus Intelligence who found the problem, validated as resolving the issue.
An attacker could exploit of this vulnerability resulting in a buffer overflow that could possibly allow an attacker to execute code under administrator credentials. IGSS sees use in the renewable energy, process control, monitoring and control, motor controls, lighting controls, electrical distribution, and security system sectors.
Schneider Electric is a US-based company that has offices in 190 countries.
IGSS is a desktop application used to integrate industrial control system (ICS) components from diverse vendors using diverse sets of protocols and integrate their configuration and monitoring functions using IGSS as a single supervisory or human-machine interface (HMI) system.
Vulnerability classifications end up classified by Common Weakness Enumerations (CWE). This stack-based buffer overflow comes in as a CWE-121.
In addition, IGSS communicates with a broad range of ICS devices using a broad range of protocols over two network ports, Ports (12397 and 12399)/TCP by default. This exploit has found that out-of-protocol communication over Port 12397/TCP can cause a buffer overflow condition. Although this overflow can cause the application to crash, an attacker can also apply techniques to take advantage of the buffer overflow and likely execute malicious code with administrator privileges.
CVE-2013-0657 is the number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.
At present, there are no exploits specifically target this vulnerability. An attacker with a moderate skill would be able to exploit this vulnerability.
Schneider issued two patches for versions V9 and V10 of the IGSS software to address this vulnerability. These patches are available from the Schneider Electric Web site.
Users of this software with older versions should upgrade their software or employ other mitigation methods. At a minimum, this port should have a filter to only allow access from the specific IP addresses for the devices controlled or monitored.
Monday, December 31, 2012 @ 11:12 AM gHale
There are mitigation details available for a vulnerability that impacts the i-GEN opLYNX Central software, which could lead to a partial leakage of information and access to system settings, according to a report on ICS-CERT.
The mitigations work through an authentication bypass vulnerability in i-GEN Solutions opLYNX Central application.
Independent researcher Anthony Cicalla, who found the remotely exploitable vulnerability, tested the new version to validate it resolves the vulnerability. This vulnerability impacts the energy sector, mainly in Canada.
All opLYNX versions from 2.01.8 and prior suffer from the issue.
Exploitation of this vulnerability could allow access to configuration settings and other information in the opLYNX Central application.
i-GEN Solutions Corp. is a Canada-based company that provides human-machine interface (HMI), supervisory control and data acquisition (SCADA), and plant historian software to oil and gas, pipelines, chemicals, utilities, and waste water management facilities around the world.
The affected product, opLYNX Central, is a Web-based application, which i-GEN Solutions said mainly sees deployment in the energy sector in Canada.
An attacker with a low skill would be able to exploit this vulnerability with publicly available tools.
i-GEN Solutions released a new version, opLYNX 2.01.9, that resolves this vulnerability. The new version ends up automatically applied upon login.
Friday, December 14, 2012 @ 06:12 PM gHale
Mitigations are available for a vulnerability that impacts Siemens ProcessSuite and Invensys Wonderware InTouch products, according to a report on ICS-CERT.
Mitigations are available for an insecure password storage vulnerability in Siemens ProcessSuite and Invensys Wonderware InTouch applications.
On one hand, Siemens said ProcessSuite is an outdated system and they cannot issue an updated to match current security requirements. Instead the company recommends upgrading to a more recent human-machine interface (HMI).
On the other hand, Invensys recommends using Windows integrated security rather than the InTouch security subsystem, but has created a new patch to mitigate this vulnerability.
Successful exploitation of this vulnerability, discovered by researcher Seth Bromberger of NCI Security, LLC and independent researcher Slade Griffin, can allow an attacker to log in to the system as a privileged user and take over the application.
All versions of Siemens ProcessSuite suffer from the issue. Siemens said ProcessSuite phased out in 2005 and completely discontinued in 2010. Customers using SIMATIC PCS7 / APACS+ OS are not affected.
The following Invensys Wonderware InTouch versions suffer from the issue: Wonderware InTouch 2012 R2 and previous. Wonderware applications that use Windows Integrated security or ArchestrA security do not have the problem.
An attacker with read permissions to the password file can decrypt it and obtain all usernames and passwords, allowing logon as a privileged user and take over the application.
ProcessSuite is a part of a Distributed Control System “APACS+” from Moore Products Inc., which Siemens acquired in 2000. Siemens ProcessSuite is based on Wonderware InTouch V7.11 and uses similar authentication mechanisms. Siemens no longer supports ProcessSuite.
ProcessSuite does go across several sectors including manufacturing, oil and gas, chemical, and others. Siemens estimates that these products are used primarily in the United States and Canada.
InTouch is an HMI created by Invensys Wonderware used for designing, building, deploying, and maintaining applications for manufacturing and infrastructure operations.
User management information including passwords store in a reversible format in file “Ps_security.ini” by the affected software. An attacker with read permissions to this local file can obtain the passwords, log in as a privileged user, and potentially affect the availability, integrity, and confidentiality of the system. CVE-2012-4693 is the number assigned to this vulnerability, which has a CVSS v2 base score of 4.3.
An attacker would need local access to the password file to be able to exploit this vulnerability. An attacker with a low skill would be able to exploit this vulnerability.
Friday, November 16, 2012 @ 01:11 PM gHale
ABB created a patch for the buffer overflow vulnerability in its AC500 PLC Webserver application, which could lead to a denial of service (DoS), affecting the availability of the service, according to a report on ICS-CERT.
This vulnerability relates to the 3S Smart Software Solutions CoDeSys Vulnerabilities as the ABB AC500 PLC uses the CoDeSys Webserver, the report said.
This remotely exploitable vulnerability affects multiple sectors to include the energy, critical manufacturing, and transportation sectors. Exploits that target this vulnerability are publicly available.
The following ABB AC500 CPU modules with firmware Version V2.1.3 and Web server enabled suffer from the issue:
• 1SAP130 300 R0271 PM573-ETH,
• 1SAP140 300 R0271 PM583-ETH,
• 1SAP150 000 R0271 PM590-ETH,
• 1SAP150 100 R0271 PM591-ETH,
• 1SAP150 200 R0271 PM592-ETH,
• 1TNE968 900 R0110 PM554-T-ETH,
• 1TNE968 900 R1110 PM564-T-ETH,
• 1TNE968 900 R1210 PM564-R-ETH, and
• 1TNE968 900 R1211 PM564-R-ETH-AC.
Exploiting this buffer overflow vulnerability in the embedded CoDeSys Web server component used by ABB causes a DoS of the PLC that can only end up recovered after cycling the system’s power. An attacker with a low skill would be able to exploit this vulnerability.
Switzerland-based ABB maintains offices in several countries around the world and develops products in multiple critical sectors used worldwide.
The affected products, AC500 PLCs, are Web-based SCADA systems. According to ABB, the AC500 PLCs see use in several sectors including the energy, critical manufacturing, transportation, and others.
By sending an overly long URL to Port 80/TCP (Port 80 by default, but the device may use any arbitrary port), an attacker could cause a stack-based buffer overflow. This causes a crash of the PLC. The only remediation is to cycle the system’s power.
CVE-2011-5007 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.
ABB released a Vulnerability Security Advisory and patch (V2.1.5) that mitigates this vulnerability was available in December 2011. Firmware versions starting from V2.1.4 do not contain the vulnerability. Firmware V2.1.5 is in the ABB PLC download center.
The Web server component is not active in the default configuration of the system. It should only see use if the user needs human-machine interface visualization. PLCs that are continuously running are most likely in a factory environment where additional cyber security measures, such as isolation, and intrusion detection among others, are part of normal security operations and reduce the risk for malware or unauthorized personnel to have a network connection to the PLC.
Wednesday, October 31, 2012 @ 01:10 PM gHale
By Gregory Hale
One third of controllers are on manual operation at plants and Ian Nimmo wants to know how plants can achieve any kind of positive returns with their automation tools.
“One third of controllers are on manual because the operators say they have a better feel for what is going on,” Nimmo said during his keynote address Wednesday at the Yokogawa 2012 Users Group in New Orleans. “We promise big returns (with automation), but if controllers are on manual control, how can you deliver on what your promise.”
Automation gains all fall on reducing process variability, said Nimmo, the president and founder of User Center Design Services. Part of reducing variability in the process means reducing or eliminating alarms so operators are not reactive, but instead become proactive.
“When operators are using automation incorrectly there will be increases in variability,” Nimmo said. “I want to see proactive use of automation that will take care of an alarm before it actually becomes an alarm.”
“Process control operators are the saviors of our industry, they can make or break our profitability,” Nimmo said.
It all comes down to situational awareness and how operators handle the abnormal situations that can crop up. “The control system manages the normal; the operator is there to manage the abnormal,” Nimmo said.
What has to happen is the operator should be able to:
• Scan the environment for hazards
• Consider how equipment conditions are changing on a day-to-day basis
• Understand potential hazards
• Formulate plans for handling/avoiding hazards
One of the problems facing operators, Nimmo said, is they have poor tools. Yes, they have HMI and alarms, but they do not have the proper configurations or they are lacking proper data sets or even have poor graphics that are too confusing to understand.
“We know how to do it, but what are we going to do about it? If we continue to do things this way, we will continue to have accidents like Texaco Pembroke,” he said.
In Pembroke, Wales, four workers died and a fifth suffered serious injuries on June 2 last year when a 730 cubic meter storage tank exploded and also caused damage to a second tank. Ten fire and rescue service vehicles responded to the scene, and had fire extinguished within an hour and a half.
What operators need is to know the past, the present and the future. So, for good situational awareness, they need to know and understand:
• Abnormal Situational Management (ASM) Graphics
• Historical data
• Maintenance projections
• Weather forecasts
• Music, which can help alleviate any kind of stress in the environment which could help achieve a more stable atmosphere.
“Our goal is to have good situational awareness and having proactive operators,” Nimmo said.
The types of graphics operators see today are often way too colorful and busy. Nimmo said a true HMI interface should allow for color-coded graphics on a gray background that allow for understanding of what really is happening.
“We need tools that put danger in context,” Nimmo said.
Thursday, October 4, 2012 @ 05:10 PM gHale
There is a Structured Exception Handler (SEH) overwrite vulnerability with proof-of-concept (PoC) exploit code affecting Sielco Sistemi WinLog Lite SCADA HMI, a supervisory control and data acquisition/human-machine interface (SCADA/HMI).
The vulnerability is exploitable by overwriting the SEH to allow insertion and execution of shell-code, according to a report on ICS-CERT.
Independent security researcher “FaryadR” (aka Ciph3r) on the Web site packetstormsecurity.org released the report without coordination with either the vendor or ICS-CERT.
The vendor is aware of the report and the company is researching the vulnerability and identify mitigations. ICS-CERT issued their alert to provide early notice of the report and identify baseline mitigations for reducing risks to these and other cyber security attacks.
The report included vulnerability details and PoC exploit code for Sielco Sistemi — WinLog Lite SCADA HMI, ver. 2.06.17
If an attacker exploited this vulnerability, it could lead to possible code execution.
Italy-based Sielco Sistemi has sales and support offices worldwide providing multiple SCADA/HMI solutions.
Friday, September 14, 2012 @ 05:09 PM gHale
Siemens created an update that mitigates vulnerabilities in the Siemens WinCC WebNavigator application.
Siemens reports these vulnerabilities, which came straight to them from Positive Technologies, affect the WebNavigator component of WinCC 7.0 SP3 and earlier, according to a report on ICS-CERT.
Successful exploitation of these remotely exploitable vulnerabilities could allow an attacker to access sensitive data or possibly take over the WebNavigator session with the same rights as the victim.
WinCC/Web Navigator is a WinCC option that provides a Web interface for the Siemens SIMATIC WinCC Human Machine Interface (HMI). SIMATIC WinCC performs the following tasks: Process visualization, operator control of the process, alarm display, process value and alarm archiving, and machine parameter management. This software sees use in quite a few industries, including food and beverage, water and wastewater, oil and gas, and chemical.
In a cross site scripting vulnerability, an attacker can use social engineering to trick an authenticated user into clicking a malicious link. This action may execute a java script in the victim’s browser, which can have malicious behavior such as stealing a session cookie. CVE-2012-3031 is the number assigned to this vulnerability, which has a CVSS v2 base score of 8.3.
Cross site request forgery is similar to the cross site scripting vulnerability. It can also trigger by an authenticated user clicking on a malicious link. However, this vulnerability also works if the user has disabled scripting in his or her browser. CVE-2012-3028 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.8.
If an attacker knows or guesses the right path and/or file name, he or she can read files on the system that hosts WebNavigator. CVE-2012-3030 is the number assigned to this vulnerability, which has a CVSS v2 base score of 5.0.
If an attacker sends a specially crafted SOAP (Simple Object Access Protocol) message to the server, the resulting SQL queries might read or write more data in the database than originally intended. CVE-2012-3032 is the number assigned to this vulnerability, which has a CVSS v2 base score of 5.0.
WebNavigator uses ActiveX controls in the user’s browser. The methods of these ActiveX controls can call any Web site this user visits. By using specially crafted parameters with these methods, an attacker can gain access to the username and password of a legitimate user.
One precondition is to exploit this vulnerability, the attacker needs access to the Web server. CVE-2012-3034 is the number assigned to this vulnerability, which has a CVSS v2 base score of 8.3.
Siemens addresses these issues in a Siemens Security Advisory, SSA-864051, which is available on its Web site.
Siemens provides an update for WinCC 7.0 SP2, which fixes all vulnerabilities except the cross site request forgery. The company recommends installing the patch. Siemens also recommends users restrict access to WebNavigator, e.g., with a firewall or VPN gateway or to operate the service only within trusted networks.
No patch is yet available for vulnerability 2; Siemens recommends the following:
• Do not interact with other Internet-related services while logged in.
• Log out when the user does not need WebNavigator any more.