Download - Writing ICS Vulnerability Analysis
![Page 1: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/1.jpg)
At Least Pretend You Care:!
!Writing ICS
Vulnerability Analysis!
Sean McBride!S4 2014!
![Page 2: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/2.jpg)
Will you be my BFF?!
![Page 3: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/3.jpg)
We need Analysts – Badly!
![Page 4: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/4.jpg)
Disclaimer!
• Conducted analysis of nearly 900 public ICS-specific vulnerabilities!– Constantly updating analytical approach and
template!• Examples are only representative of issues!• If you don’t get named, it doesn’t mean you
don’t need to improve!!
![Page 5: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/5.jpg)
What we are dealing with!
Vulnerabilities
Discovered Vulns
Disclosed
Public
![Page 6: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/6.jpg)
CI total counts by Quarter!
![Page 7: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/7.jpg)
By Repository!
![Page 8: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/8.jpg)
![Page 9: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/9.jpg)
Leading Vendors!
Vendor! Vulns! Patches! Patch %! Exploits!
Siemens! 99! 73! 73%! 16!
Rockwell! 49! 27! 55%! 5!
Schneider! 44! 20! 45%! 11!
ICONICS! 30! 25! 83%! 17!
RuggedCom! 25! 24! 96%! 2!
GE IP! 25! 18! 72%! 4!Based on empirical evidence.
![Page 10: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/10.jpg)
To whom are you telling what, when, why?!
Disclosed
Owner/Operators - ICS engineers - ICS compliance personnel - ICS security analysts - IT security analysts
Engineer/Integration firms - Integrators - Support/maintenance
Media - Reporters - Bloggers
Security Industry - Intelligence firms - ISACs - Gov agencies
Potential Adversaries - Activists/hactivists - Malicious insiders - Nation states
Focus Public
![Page 11: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/11.jpg)
Golden Question!
• How could that vulnerability affect the controlled process?!
• We can’t get that answer "without:!– Analytical expertise "
(IT, Infosec & ICS fields)!– Accurate, reliable, "
consistent "communications!
![Page 12: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/12.jpg)
Example 1! Sep. 2013!
Schneider Electric was notified and is responding to a vulnerability in the MiCOM S1 Studio Software product. This software utility is used to configure and maintain electronic protective relays.!!Schneider Electric has released a new version of MiCOM S1 Studio SW, V4.0.1, to address some of these vulnerabilities.!
![Page 13: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/13.jpg)
Example 1!(same advisory)!
During install, Read/Write access by any user is permitted to MiCOM S1 Studio executables in the Program Files directory. This condition persists after installation. As a result of this access, the configuration files and the Windows service used by the program can be manipulated or modified by any user with local computer access.!!Schneider Electric has released a new version of MiCOM S1 Studio SW, V4.0.1, to address some of these vulnerabilities. The installation routine of MiCOM 1 Studio V4.0.1 provides digital signature to all files related to the use of MiCOM S1 Studio: Digital signature indicates [to] operating systems and user that the libraries/executables are from Schneider Electric (Trusted source).!
![Page 14: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/14.jpg)
Example 2!Apr. 2013!
537599 - FactoryTalk Diagnostics and RSLinx Enterprise Software Vulnerability!!Rockwell Automation was notified through ICS-CERT that Carsten Eiram from the security firm, Risk Based Security identified vulnerabilities that affect a software component of the FactoryTalk Service Platform (RNADiagnostics.dll) and two software components of RSLinx Enterprise software (LogReceiver.exe and Logger.dll).!!!
![Page 15: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/15.jpg)
Example 2 !(Same advisory)!
• A specially crafted packet sent to TCP port 5241 will result in"a crash of the RsvcHost.exe service. A successful attack will result in the following:!
– Denial of Service (DoS) condition that prevents subsequent processing of connections on UDP port 4445.!
– Crash condition that disrupts further execution of the RNADiagnostics.dll or RNADiagReceiver.exe diagnostic service.!
• When successfully exploited, the vulnerability will cause the thread receiving data to exit, resulting in the service silently ignoring further incoming requests. A successful attack will result in two respective conditions:!
– Denial of Service (DoS) condition that prevents subsequent processing of connections on UDP port 4444.!
– Crash condition that disrupts further execution of the LogReceiver.exe!!
![Page 16: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/16.jpg)
• ICSA-13-095-02, issued April 5, 2013: !– CVE-2012-4695!– CVE-2012-4713!– CVE-2012-4714!– CVE-2012-4715!
!
![Page 17: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/17.jpg)
INTEGER OVERFLOW–NEGATIVE INTEGER (CVE-2012-4713)!The FactoryTalk Services Platform (RNADiagnostics.dll) does not validate input correctly and cannot allocate a negative integer. By sending a negative integer input to the service over Port 4445/UDP…!INTEGER OVERFLOW–OVERSIZED INTEGER (CVE-2012-4714) …!IMPROPER EXCEPTION HANDLING (CVE-2012-4695)…!OUT-OF-BOUNDS READ (CVE-2013-2805)…!INTEGER OVERFLOW (CVE-2013-2807)…!INTEGER OVERFLOW (CVE-2013-2806)…!!
![Page 18: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/18.jpg)
• What about CVE-2012-4715??!• Apparently it was a repeat of CVE-2012-4695!• How did that happen?!!
![Page 19: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/19.jpg)
More Analysis!
• Reveals more problems!
![Page 20: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/20.jpg)
Lessons !
• Don’t be tricky – customer relationships are about TRUST!
• As much as possible: 1 advisory for 1 vulnerability!
• Each vulnerability needs a unique identifier!• Specify what patch corresponds to what vuln!
– One patch can still fix many vulns!!
![Page 21: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/21.jpg)
kudos!
![Page 22: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/22.jpg)
Bug finders!
!!!!!• Limited experience with deployed ICS!• Downloaded free software/got access to this
device…!• Did XYZ to it… It crashed…!
Researcher! Number disclosed!Luigi Auriemma*! 130!GLEG*! 47!Positive Technologies! 36!Rios & McCorkle! 34!Kuang-Chun Hung! 28!* own-terms disclosure
![Page 23: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/23.jpg)
Example 3!
From Luigi Auriemma (2010)!"RealWin is a SCADA server package for medium / small applications."!The service of the server running on port 912 is vulnerable to a stack based buffer-overflow caused by the usage of sprintf() for building a particular string with the data supplied by the attacker!!
![Page 24: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/24.jpg)
Example 4!
From Blake, posted to Exploit DB (September 2013)!<title>Mitsubishi MC-WorkX Suite Insecure ActiveX Control (IcoLaunch)</title> <p>This proof of concept will launch an arbritrary executable when the Login Client button is clicked. An attacker could use this to have the victim launch malicious code from a remote share.!
![Page 25: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/25.jpg)
Lessons !
• Researchers don’t offer much ICS context!– Working with Critical Intelligence or ICS-CERT, or
other analytical organization might provide this !– Working with experienced ICS professionals can
provide this!• Researchers can give great technical detail!
– Tech detail may be stripped from coordinated disclosures!
– Critical Intelligence calls/emails researchers all the time for more info!
!
![Page 26: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/26.jpg)
Example 5!
!!• Four vulns disclosed by Arthur Gervais at S4 2013!• ICS-CERT (March) update: “Two of the vulnerabilities initially
reported have been determined not to be valid”!• By whom? Not Arthur!!
![Page 27: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/27.jpg)
Buy or Borrow?!
• ICS-CERT!– 3 of 6 “missions” deal with vulnerabilities!– Alerts/advisories from 91 vendors!– 82 vendors do not write their own!!
![Page 28: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/28.jpg)
Good on them!
• Handled 100s of vuln disclosures!• Provide some context!• Reliance on CWE!• Responsive to inquiries !• Moved to a Web format instead of PDF – way easier!!!
![Page 29: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/29.jpg)
Timing!
• HSIN!– ICS-CERT compartment!– US citizen ICS "
owner/operators "with “need to know”!
– Early notice on certain "advisories!
![Page 30: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/30.jpg)
Example 6!
![Page 31: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/31.jpg)
Example 7!
January 2014 Advisory!Affected Products!-------------------!The following [Vendor] versions are affected:!• All versions released prior to December 1, 2013, !• [Vendor Product Number] (Firmware from 2010), and !• [Vendor Product Number] (Latest Firmware).!!!
![Page 32: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/32.jpg)
Example 8!
ICSA-13-219-01 (August 2013)!The RTAC master device can be sent into an infinite loop by sending a specially crafted TCP packet from the master station on an IP-based network!!CVE-2013-2792: IP-based version!CVE-2013-2798: Serial version!!Missing ICS understanding…!
![Page 33: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/33.jpg)
Lessons!
• Give a balanced voice between researcher/vendor!
• Rethink ICS-CERT HSIN compartment!• Error on the side of too much detail rather
than too little (not asking for poc/exploit)!• Have someone proof read/sanity check!!
![Page 34: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/34.jpg)
Summary!
1. At least pretend you care!!2. Who you gonna tell what, when and why?!3. Create, validate, use a template!4. Hire someone who knows and cares about
security (and ICS) and make them responsible!5. Conduct analysis!!6. Proof read/sanity check!
![Page 35: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/35.jpg)
Will you be my BFF?!
![Page 36: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/36.jpg)
Image Credits!
• Slide 1: PikiWiki Israel 10402 Environment of Israel.JPG; דניאל אורי ; Creative Commons Attribution 2.5 Generic license; http://commons.wikimedia.org/wiki/File:PikiWiki_Israel_10402_Environment_of_Israel.JPG!
• Slide 11: Panning; Murdoch, George G.; http://commons.wikimedia.org/wiki/File:Panning2.jpg!
• Slide 29: One Canada Square, Canary Wharf; Garry Knight; Creative Commons Attribution-Share Alike 2.0 Generic; http://commons.wikimedia.org/wiki/File:One_Canada_Square,_Canary_Wharf.jpg!