writing ics vulnerability analysis
DESCRIPTION
Sean McBride of Critical Intelligence goes into some real world examples of success and failure in ICS Vulnerability Analysis. Viewers should be aware there may be a bit of bias to point out shortcomings since this is what Critical Intelligence does for a living, but loyal blog readers and anyone with insight knows the ICS-CERT Alerts and Advisories rarely provide worthwhile analysis. If you are looking for ICS vulnerability statistical data the first nine slides have very useful charts. The remainder of the presentation goes through some typical and important failures by ICS-CERT and vendor CERTs.TRANSCRIPT
![Page 1: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/1.jpg)
At Least Pretend You Care:!
!Writing ICS
Vulnerability Analysis!
Sean McBride!S4 2014!
![Page 2: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/2.jpg)
Will you be my BFF?!
![Page 3: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/3.jpg)
We need Analysts – Badly!
![Page 4: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/4.jpg)
Disclaimer!
• Conducted analysis of nearly 900 public ICS-specific vulnerabilities!– Constantly updating analytical approach and
template!• Examples are only representative of issues!• If you don’t get named, it doesn’t mean you
don’t need to improve!!
![Page 5: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/5.jpg)
What we are dealing with!
Vulnerabilities
Discovered Vulns
Disclosed
Public
![Page 6: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/6.jpg)
CI total counts by Quarter!
![Page 7: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/7.jpg)
By Repository!
![Page 8: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/8.jpg)
![Page 9: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/9.jpg)
Leading Vendors!
Vendor! Vulns! Patches! Patch %! Exploits!
Siemens! 99! 73! 73%! 16!
Rockwell! 49! 27! 55%! 5!
Schneider! 44! 20! 45%! 11!
ICONICS! 30! 25! 83%! 17!
RuggedCom! 25! 24! 96%! 2!
GE IP! 25! 18! 72%! 4!Based on empirical evidence.
![Page 10: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/10.jpg)
To whom are you telling what, when, why?!
Disclosed
Owner/Operators - ICS engineers - ICS compliance personnel - ICS security analysts - IT security analysts
Engineer/Integration firms - Integrators - Support/maintenance
Media - Reporters - Bloggers
Security Industry - Intelligence firms - ISACs - Gov agencies
Potential Adversaries - Activists/hactivists - Malicious insiders - Nation states
Focus Public
![Page 11: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/11.jpg)
Golden Question!
• How could that vulnerability affect the controlled process?!
• We can’t get that answer "without:!– Analytical expertise "
(IT, Infosec & ICS fields)!– Accurate, reliable, "
consistent "communications!
![Page 12: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/12.jpg)
Example 1! Sep. 2013!
Schneider Electric was notified and is responding to a vulnerability in the MiCOM S1 Studio Software product. This software utility is used to configure and maintain electronic protective relays.!!Schneider Electric has released a new version of MiCOM S1 Studio SW, V4.0.1, to address some of these vulnerabilities.!
![Page 13: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/13.jpg)
Example 1!(same advisory)!
During install, Read/Write access by any user is permitted to MiCOM S1 Studio executables in the Program Files directory. This condition persists after installation. As a result of this access, the configuration files and the Windows service used by the program can be manipulated or modified by any user with local computer access.!!Schneider Electric has released a new version of MiCOM S1 Studio SW, V4.0.1, to address some of these vulnerabilities. The installation routine of MiCOM 1 Studio V4.0.1 provides digital signature to all files related to the use of MiCOM S1 Studio: Digital signature indicates [to] operating systems and user that the libraries/executables are from Schneider Electric (Trusted source).!
![Page 14: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/14.jpg)
Example 2!Apr. 2013!
537599 - FactoryTalk Diagnostics and RSLinx Enterprise Software Vulnerability!!Rockwell Automation was notified through ICS-CERT that Carsten Eiram from the security firm, Risk Based Security identified vulnerabilities that affect a software component of the FactoryTalk Service Platform (RNADiagnostics.dll) and two software components of RSLinx Enterprise software (LogReceiver.exe and Logger.dll).!!!
![Page 15: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/15.jpg)
Example 2 !(Same advisory)!
• A specially crafted packet sent to TCP port 5241 will result in"a crash of the RsvcHost.exe service. A successful attack will result in the following:!
– Denial of Service (DoS) condition that prevents subsequent processing of connections on UDP port 4445.!
– Crash condition that disrupts further execution of the RNADiagnostics.dll or RNADiagReceiver.exe diagnostic service.!
• When successfully exploited, the vulnerability will cause the thread receiving data to exit, resulting in the service silently ignoring further incoming requests. A successful attack will result in two respective conditions:!
– Denial of Service (DoS) condition that prevents subsequent processing of connections on UDP port 4444.!
– Crash condition that disrupts further execution of the LogReceiver.exe!!
![Page 16: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/16.jpg)
• ICSA-13-095-02, issued April 5, 2013: !– CVE-2012-4695!– CVE-2012-4713!– CVE-2012-4714!– CVE-2012-4715!
!
![Page 17: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/17.jpg)
INTEGER OVERFLOW–NEGATIVE INTEGER (CVE-2012-4713)!The FactoryTalk Services Platform (RNADiagnostics.dll) does not validate input correctly and cannot allocate a negative integer. By sending a negative integer input to the service over Port 4445/UDP…!INTEGER OVERFLOW–OVERSIZED INTEGER (CVE-2012-4714) …!IMPROPER EXCEPTION HANDLING (CVE-2012-4695)…!OUT-OF-BOUNDS READ (CVE-2013-2805)…!INTEGER OVERFLOW (CVE-2013-2807)…!INTEGER OVERFLOW (CVE-2013-2806)…!!
![Page 18: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/18.jpg)
• What about CVE-2012-4715??!• Apparently it was a repeat of CVE-2012-4695!• How did that happen?!!
![Page 19: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/19.jpg)
More Analysis!
• Reveals more problems!
![Page 20: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/20.jpg)
Lessons !
• Don’t be tricky – customer relationships are about TRUST!
• As much as possible: 1 advisory for 1 vulnerability!
• Each vulnerability needs a unique identifier!• Specify what patch corresponds to what vuln!
– One patch can still fix many vulns!!
![Page 21: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/21.jpg)
kudos!
![Page 22: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/22.jpg)
Bug finders!
!!!!!• Limited experience with deployed ICS!• Downloaded free software/got access to this
device…!• Did XYZ to it… It crashed…!
Researcher! Number disclosed!Luigi Auriemma*! 130!GLEG*! 47!Positive Technologies! 36!Rios & McCorkle! 34!Kuang-Chun Hung! 28!* own-terms disclosure
![Page 23: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/23.jpg)
Example 3!
From Luigi Auriemma (2010)!"RealWin is a SCADA server package for medium / small applications."!The service of the server running on port 912 is vulnerable to a stack based buffer-overflow caused by the usage of sprintf() for building a particular string with the data supplied by the attacker!!
![Page 24: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/24.jpg)
Example 4!
From Blake, posted to Exploit DB (September 2013)!<title>Mitsubishi MC-WorkX Suite Insecure ActiveX Control (IcoLaunch)</title> <p>This proof of concept will launch an arbritrary executable when the Login Client button is clicked. An attacker could use this to have the victim launch malicious code from a remote share.!
![Page 25: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/25.jpg)
Lessons !
• Researchers don’t offer much ICS context!– Working with Critical Intelligence or ICS-CERT, or
other analytical organization might provide this !– Working with experienced ICS professionals can
provide this!• Researchers can give great technical detail!
– Tech detail may be stripped from coordinated disclosures!
– Critical Intelligence calls/emails researchers all the time for more info!
!
![Page 26: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/26.jpg)
Example 5!
!!• Four vulns disclosed by Arthur Gervais at S4 2013!• ICS-CERT (March) update: “Two of the vulnerabilities initially
reported have been determined not to be valid”!• By whom? Not Arthur!!
![Page 27: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/27.jpg)
Buy or Borrow?!
• ICS-CERT!– 3 of 6 “missions” deal with vulnerabilities!– Alerts/advisories from 91 vendors!– 82 vendors do not write their own!!
![Page 28: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/28.jpg)
Good on them!
• Handled 100s of vuln disclosures!• Provide some context!• Reliance on CWE!• Responsive to inquiries !• Moved to a Web format instead of PDF – way easier!!!
![Page 29: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/29.jpg)
Timing!
• HSIN!– ICS-CERT compartment!– US citizen ICS "
owner/operators "with “need to know”!
– Early notice on certain "advisories!
![Page 30: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/30.jpg)
Example 6!
![Page 31: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/31.jpg)
Example 7!
January 2014 Advisory!Affected Products!-------------------!The following [Vendor] versions are affected:!• All versions released prior to December 1, 2013, !• [Vendor Product Number] (Firmware from 2010), and !• [Vendor Product Number] (Latest Firmware).!!!
![Page 32: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/32.jpg)
Example 8!
ICSA-13-219-01 (August 2013)!The RTAC master device can be sent into an infinite loop by sending a specially crafted TCP packet from the master station on an IP-based network!!CVE-2013-2792: IP-based version!CVE-2013-2798: Serial version!!Missing ICS understanding…!
![Page 33: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/33.jpg)
Lessons!
• Give a balanced voice between researcher/vendor!
• Rethink ICS-CERT HSIN compartment!• Error on the side of too much detail rather
than too little (not asking for poc/exploit)!• Have someone proof read/sanity check!!
![Page 34: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/34.jpg)
Summary!
1. At least pretend you care!!2. Who you gonna tell what, when and why?!3. Create, validate, use a template!4. Hire someone who knows and cares about
security (and ICS) and make them responsible!5. Conduct analysis!!6. Proof read/sanity check!
![Page 35: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/35.jpg)
Will you be my BFF?!
![Page 36: Writing ICS Vulnerability Analysis](https://reader034.vdocument.in/reader034/viewer/2022051322/546c442db4af9f842c8b503e/html5/thumbnails/36.jpg)
Image Credits!
• Slide 1: PikiWiki Israel 10402 Environment of Israel.JPG; דניאל אורי ; Creative Commons Attribution 2.5 Generic license; http://commons.wikimedia.org/wiki/File:PikiWiki_Israel_10402_Environment_of_Israel.JPG!
• Slide 11: Panning; Murdoch, George G.; http://commons.wikimedia.org/wiki/File:Panning2.jpg!
• Slide 29: One Canada Square, Canary Wharf; Garry Knight; Creative Commons Attribution-Share Alike 2.0 Generic; http://commons.wikimedia.org/wiki/File:One_Canada_Square,_Canary_Wharf.jpg!