Note: I have two posts going up tomorrow on ICS-CERT and DHS. The first is on what ICS-CERT actually does vs. expectation and lore. The second is reaction to the DHS Office of Inspector General (OIG) report on DHS’s performance in securing ICS.
Yesterday ICS-CERT issued an update to the Schneider Electric Multiple Vulnerabilities Alert. The Alert claims that two of the vulnerabilities that Arthur Gervais of ETH Zurich presented at S4x13 (see video below) were not valid.
The exact wording in the Alert is:
“Two of the vulnerabilities initially reported have been determined not to be valid”.
A typical reader would believe that this is a result of ICS-CERT’s analysis or consensus between the vendor and researcher. Not true. It is based on what the vendor told ICS-CERT. It is another example of ICS-CERT simply being a vendor megaphone.
Upon reading the Updated Alert I asked Arthur if he would like to respond. Here is what he wrote:
The ICS-CERT claimed two out of four reported vulnerabilities as invalid. We believe, Schneider found a fifth vulnerability in their products. Cited from the ICS alert:
“In Schneider Electric’s testing on the reported issue, the module does in fact stop communicating when the connection limit is exceeded, but the PLC continues its control functions and its operation is unaffected. After the connection limit is exceeded, the communications module performs a soft reset.”
Hereby, the ICS-CERT just disclosed a new vulnerability in a Schneider communication module (probably a BMX NOE).
Regarding our submission (1) a TCP connection resource exhaustion against a Schneider Modicon M340, the attack has been tested on the latest Schneider Firmware M340_OS_V2.50 (24/07/2012). The video presented at S4x13 should furthermore show the effectiveness of the attack (where the PLC stops completely). We have not provided Schneider with the attack code, but the description should suffice to follow the attack. Schneider can still purchase our attack code, which is as we confirm, still effective against the latest firmware.
Regarding (2) the hard coded credentials, they are not documented and active in the default configuration. Schneider found a way to deactivate them with a configuration, so it should probably be called a default configuration issue. We have been informed by Schneider that our report has enabled them to find further related problems and are glad to have helped Schneider to secure their products.
I don’t know if the vendor or Arthur is accurate. Whatever the truth is, ICS-CERT is not in a position to make such a declarative statement.
Compare this to ICS-CERT’s wording in the initial alert:
ICS-CERT is aware of a public report concerning multiple vulnerabilities in multiple Schneider Electric Products. These vulnerabilities were released by Arthur Gervais at the Digital Bond SCADA Security Scientific Symposium (S4) conference. ICS-CERT notified the affected vendor of the report and asked the vendor to confirm the vulnerabilities and identify mitigations. ICS-CERT is issuing this alert to provide early notice of the report and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.
Note the level of cautionary words in accepting the vulnerabilities are valid. This level of caution is entirely absent when the vendor states the vulns are not valid.