Race condition in the mounting process in vmware-mount in VMware Workstation 7.x before 7.1.2 build 301548 on Linux, VMware Player 3.1.x before 3.1.2 build 301548 on Linux, VMware Server 2.0.2 on Linux, and VMware Fusion 3.1.x before 3.1.2 build 332101 allows host OS users to gain privileges via vectors involving temporary files.

**VMware Security Announcements** security-announce at lists.vmware.com  
_Thu Dec 2 22:53:35 PST 2010_

*   Previous message: \[Security-announce\] VMSA-2010-0017 VMware ESX third party update for Service Console kernel
*   Next message: \[Security-announce\] VMSA-2010-0019 VMware ESX third party updates for Service Console
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

\-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ------------------------------------------------------------------------
                   VMware Security Advisory

Advisory ID:       VMSA-2010-0018
Synopsis:          VMware hosted products and ESX patches resolve
                   multiple security issues
Issue date:        2010-12-02
Updated on:        2010-12-02 (initial release of advisory)
CVE numbers:       CVE-2010-4295 CVE-2010-4296 CVE-2010-4297
                   CVE-2010-4294
- ------------------------------------------------------------------------

1. Summary

   VMware hosted products and ESX patches resolve multiple security
   issues.

2. Relevant releases

   VMware Workstation 7.1.1 and earlier,
   VMware Workstation 6.5.4 and earlier,
   VMware Player 3.1.1 and earlier,
   VMware Player 2.5.4 and earlier,

   VMware Fusion 3.1.1 and earlier,

   ESXi 4.1 without patch ESXi410-201010402-BG or later
   ESXi 4.0 without patch ESXi400-201009402-BG or later
   ESXi 3.5 without patch ESXe350-201008402-T-BG or later

   ESX 4.1 without patch ESX410-201010405-BG
   ESX 4.0 without patch ESX400-201009401-SG
   ESX 3.5 without patch ESX350-201008409-BG

   Note: VMware Server was declared End Of Availability on January 2010,
         support will be limited to Technical Guidance for the duration
         of the support term.

3. Problem Description

 a. VMware Workstation, Player and Fusion vmware-mount race condition

    The way temporary files are handled by the mounting process could
    result in a race condition. This issue could allow a local user on
    the host to elevate their privileges.

    VMware Workstation and Player running on Microsoft Windows are not
    affected.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2010-4295 to this issue.

    VMware would like to thank Dan Rosenberg for reporting this issue.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    Workstation    7.x       Linux    7.1.2 Build 301548 or later
    Workstation    7.x       Windows  not affected
    Workstation    6.5.x     any      not affected

    Player         3.1.x     Linux    3.1.2 Build 301548 or later
    Player         3.1.x     Windows  not affected
    Player         2.5.x     any      not affected

    AMS            any       any      not affected

    Server         2.0.2     Linux    affected, no patch planned
    Server         2.0.2     Windows  not affected

    Fusion         3.1.x     Mac OS/X 3.1.2 Build 332101 or later
    Fusion         2.x       Mac OS/X not affected

    ESXi           any       ESXi     not affected

    ESX            any       ESX      not affected


 b. VMware Workstation, Player and Fusion vmware-mount privilege
    escalation

    vmware-mount which is a suid binary has a flaw in the way libraries
    are loaded.  This issue could allow local users on the host to
    execute arbitrary shared object files with root privileges.

    VMware Workstation and Player running on Microsoft Windows are not
    affected.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2010-4296 to this issue.

    VMware would like to thank Martin Carpenter for reporting this
    issue.

    The following table lists what action remediates the vulnerability
    (column 4) if a solution is available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    Workstation    7.x       Linux    7.1.2 Build 301548 or later
    Workstation    7.x       Windows  not affected
    Workstation    6.5.x     any      not affected

    Player         3.1.x     Linux    3.1.2 Build 301548 or later
    Player         3.1.x     Windows  not affected
    Player         2.5.x     any      not affected

    AMS            any       any      not affected

    Server         2.0.2     Linux    affected, no patch planned
    Server         2.0.2     Windows  not affected

    Fusion         3.1.x     Mac OS/X 3.1.2 Build 332101
    Fusion         2.x       Mac OS/X not affected

    ESXi           any       ESXi     not affected

    ESX            any       ESX      not affected


 c. OS Command Injection in VMware Tools update

    A vulnerability in the input validation of VMware Tools update
    allows for injection of commands. The issue could allow a  user
    on the host to execute commands on the guest operating system
    with root privileges.

    The issue can only be exploited if VMware Tools is not fully
    up-to-date.  Windows-based virtual machines are not affected.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2010-4297 to this issue.

    VMware would like to thank Nahuel Grisolia of Bonsai Information
    Security, http://www.bonsai-sec.com, for reporting this issue.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    Workstation    7.x       any      7.1.2 Build 301548 or later
    Workstation    6.5.x     any      6.5.5 Build 328052 or later

    Player         3.1.x     any      3.1.2 Build 301548 or later
    Player         2.5.x     any      2.5.5 Build 328052 or later

    AMS            any       any      not affected

    Server         2.0.2     any      affected, no patch planned

    Fusion         3.1.x     Mac OS/X 3.1.2 Build 332101
    Fusion         2.x       Mac OS/X 2.0.8 Build 328035

    ESXi           4.1       ESXi     ESXi410-201010402-BG
    ESXi           4.0       ESXi     ESXi400-201009402-BG
    ESXi           3.5       ESXi     ESXe350-201008402-T-BG \*\*

    ESX            4.1       ESX      ESX410-201010405-BG
    ESX            4.0       ESX      ESX400-201009401-SG
    ESX            3.5       ESX      ESX350-201008409-BG \*\*
    ESX            3.0.3     ESX      not affected

  \* hosted products are VMware Workstation, Player, ACE, Fusion.
  \*\* Non Windows-based guest systems on ESXi 3.5 and ESX 3.5 only:
     - Install the relevant ESX patch.
     - Manually upgrade tools in the virtual machine (virtual machine
       users will not be prompted to upgrade tools).  Note the VI
       Client may not show that the VMware tools is out of date in the
       summary tab.

 d. VMware VMnc Codec frame decompression remote code execution

    The VMware movie decoder contains the VMnc media codec that is
    required to play back movies recorded with VMware Workstation,
    VMware Player and VMware ACE, in any compatible media player. The
    movie decoder is installed as part of VMware Workstation, VMware
    Player and VMware ACE, or can be downloaded as a stand alone
    package.

    A function in the decoder frame decompression routine implicitly
    trusts a size value.  An attacker can utilize this to miscalculate
    a destination pointer, leading to the corruption of a heap buffer,
    and could allow for execution of arbitrary code with the privileges
    of the user running an application utilizing the vulnerable codec.

    For an attack to be successful the user must be tricked into
    visiting a malicious web page or opening a malicious video file on
    a system that has the vulnerable version of the VMnc codec installed.

    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2010-4294 to this issue.

    VMware would like to thank Aaron Portnoy and Logan Brown of
    TippingPoint DVLabs for reporting this issue.

    Column 4 of the following table lists the action required to
    remediate the vulnerability in each release, if a solution is
    available.

    VMware         Product   Running  Replace with/
    Product        Version   on       Apply Patch
    =============  ========  =======  =================
    VirtualCenter  any       Windows  not affected

    Movie Decoder  any       Windows  7.1.2 Build 301548 or later
    Movie Decoder  any       Windows  6.5.5 Build 328052 or later

    Workstation    7.x       Windows  7.1.2 Build 301548 or later
    Workstation    7.x       Linux    not affected
    Workstation    6.5.x     Windows  6.5.5 build 328052 or later
    Workstation    6.5.x     Linux    not affected

    Player         3.x       Windows  3.1.2 Build 301548 or later
    Player         3.x       Linux    not affected
    Player         2.5.x     Windows  2.5.5 build 246459 or later
    Player         2.5.x     Linux    not affected

    AMS            any       any      not affected

    Server         2.x       Window   affected, no patch planned
    Server         2.x       Linux    not affected

    Fusion         any       Mac OS/X not affected

    ESXi           any       ESXi     not affected

    ESX            any       ESX      not affected

4. Solution
   Please review the patch/release notes for your product and version
   and verify the md5sum and/or the sha1sum of your downloaded file.

   VMware Workstation Movie Decoder
   --------------------------------
   Workstation 7.1.2 Movie Decoder
   md5sum: a4d761a21670c735d04abb89e674656e
   sha1sum: b66673c30f3b8b8fb18035d08a6255f478be875d

   Workstation 6.5.5 Movie Decoder build 328052
   md5sum: 1223bb57d97df39259be2c6c90a65ba6
   sha1sum: 3ae7cdeeeebf6a716ec73f934077545945474ff6


   VMware Workstation 7.1.3
   ------------------------
   http://www.vmware.com/download/ws/
   Release notes:
   http://downloads.vmware.com/support/ws71/doc/releasenotes\_ws713.html

   Workstation for Windows 32-bit and 64-bit with VMware Tools
   md5sum: 7b9dc01bf733047a00711f5800df6107
   sha1sum: 5f36117c64455f3dff3b7410a0bfc72e41905181

   Workstation for Windows 32-bit and 64-bit without VMware Tools
   md5sum: d102006f7a3951dd58325f5b4e151abe
   sha1sum: ccfd70278d3c89b38776d656fa797ca8e9b28d55

   Workstation 6.5.5
   -----------------
   http://www.vmware.com/download/ws/
   Release notes:
   http://downloads.vmware.com/support/ws65/doc/releasenotes\_ws655.html

   Workstation for Windows 32-bit and 64-bit
   md5sum: 7bff9b621529efb0de808a45e7821274
   sha1sum: 41af7a9a78717cb85dd30b4d830e99fd5de49cc1

   Workstation for Linux 32-bit	(rpm)
   md5sum: 17c3f1a0e6ccf2b1e224a5d75c845a47
   sha1sum: 3027b4e2215fae84fa9311f8cd762fee17e89df0

   Workstation for Linux 32-bit	(bundle)
   md5sum: 7c24811fb999204f144d8b9f50e9fcae
   sha1sum: 18a05e6f4f772b7f0563dbd17596b66d1db8e9fa

   Workstation for Linux 64-bit	(rpm)
   md5sum: c25c2535d8091c4d46701ed081347901
   sha1sum: f4356bc224ea9805dac2d4b677f88a2f4220353e

   Workstation for Linux 64-bit	(bundle)
   md5sum: 7012bdaf182d256672ff2eb24b00a40f
   sha1sum: 58ecb2a494d4c7cc663e2028cf76c13d458fecac

   VMware Player 3.1.3
   -------------------
   http://www.vmware.com/download/player/
   Release notes:

http://downloads.vmware.com/support/player31/doc/releasenotes\_player313.html

   VMware Player for Windows 32-bit and 64-bit	
   md5sum: bd66a0ab8ae87d5cfa32b8ff44f99d1f
   sha1sum: 8ab358efc97a64639cce83766c35d43b0d662132

   VMware Player for Linux 32-bit (bundle)
   md5sum: e5d0bf19a1908262f63a8f88df77f73e
   sha1sum: 4abb87d37706c47a86337ada1d23d390455e4931

   VMware Player for Linux 64-bit (bundle)
   md5sum: 18e6aae025ee2ef9f10ce6d9271ce472
   sha1sum: 6608bce64811be4480e667726aefefdc2b71e4e3

   VMware Player 2.5.5
   -------------------
   VMware Player 2.5.5 for Windows 32-bit and 64-bit
   md5sum: 780b2c4e2b1610dea3090b1cd81d5ad7
   sha1sum: f6c451a11a4fe66e5a465de960de1358e83b8314

   VMware Player 2.5.5 for Linux 32-bit (rpm)
   md5sum: 9e13ee3904bd2377ffb8cfa66460fe92
   sha1sum: 2482acad19f6b23cf0c236d1ce87d4805b7b0e6c 	

   VMware Player 2.5.5 for Linux 32-bit (bundle)
   MD5SUM: 46dcfe9343f688d60e249d9e9c3853a4
   SHA1SUM: abfdeaf2cac83c630662607e7b95439367376abf 	

   VMware Player 2.5.5 for Linux 64-bit (rpm)
   MD5SUM: 52d6dcdeed9e564c8cfe8c35cec885f0
   SHA1SUM: dbaa6dac55f592b9c6b16d7505796a2580836f4b 	

   VMware Player 2.5.5 for Linux 64-bit (bundle)
   md5sum: 6c9a677820010ccd20f829cb5d2c057b
   sha1sum: ff6eccba3125229e8adbc1cb96764c2f116d89c5 	

   VMware Fusion
   -------------

   VMware Fusion 3.1.2 build 332101
   md5sum: a809170c9bd55a102c007c20269c4729
   sha1sum: bf56e0f873d8e0d67fd73fba5e597e0931083e03 	

   VMware Fusion Lite 3.1.2 build 332101
   md5sum: d7db517cb25320152723f8535c90dd16
   sha1sum: 555d9bd03327731270acfc851ba15b28ef3f6720

   VMware Fusion 2.0.8 (for Intel-based Macs)
   md5sum: 9951d3b7985c39c685d59eaa73fe267c
   sha1sum: 11463924b5a7f82161090416905774da45e1cd3e 	

   VMware Fusion Lite 2.0.8 (for Intel-based Macs)
   md5sum: 0bee2ef0d0e9e543b2468ed9618e32c8
   sha1sum: fa56bb7ea3493d07610051f92b9941305a436a2f

   ESXi 4.1
   --------
   ESXi410-201010001
   Download link:
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-251-20101108-239087/ESXi410-201010001.zip
   md5sum: 05f1049c7a595481cd682e92fe8d3285
   sha1sum: f6993c185f7d1cb971a4ae6e017e0246b8c25a76
   http://kb.vmware.com/kb/1027753

   Note ESXi410-201010001 contains the following security fix:
ESXi410-201010402-BG

   ESXi 4.0
   --------
   ESXi400-201009001
   Download link:
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-241-20100919-436526/ESXi400-201009001.zip
   md5sum: bfc1b78f14d970c556b828492f5920e1
   sha1sum:  a311a4af41aa1202bb6b156694bbc045c67df91a
   http://kb.vmware.com/kb/1025322

   Note ESXi400-201009001 contains the following security fix:
ESXi400-201009402-BG

   ESXi 3.5
   --------
   ESXe350-201008401-O-SG
   http://download3.vmware.com/software/vi/ESXe350-201008401-O-SG.zip
   md5sum:a2bb0afbc677ba847bedecb44dbdd4b3
   http://kb.vmware.com/kb/1026139

   Note ESXe350-201008401-O-SG contains the following security fix:
ESXe350-201008402-T-BG

   ESX 4.1
   -------
   ESX410-201010001

https://hostupdate.vmware.com/software/VUM/OFFLINE/release-252-20101109-182791/ESX410-201010001.zip
   md5sum: ff4435fd3c74764f064e047c6e5e7809
   sha1sum:322981f4dbb9e5913c8f38684369444ff7e265b3
   http://kb.vmware.com/kb/1027027

   ESX410-201010001 contains the following security fix: ESX410-201010405-BG

   ESX 4.0
   -------
   ESX400-201009001

https://hostupdate.vmware.com/software/VUM/OFFLINE/release-240-20100919-359479/ESX400-201009001.zip
   md5sum: 988c593b7a7abf0be5b72970ac64a369
   sha1sum: 26d875955b01c19f4e56703216e135257c08836f
   http://kb.vmware.com/kb/1025321

   ESX400-201009001 contains the following security fix: ESX400-201009401-SG

   ESX 3.5
   -------
   ESX350-201008409-BG
   http://download3.vmware.com/software/vi/ESX350-201008409-BG.zip
   md5sum: f2c4a4a53695057de25f095029d713fb
   http://kb.vmware.com/kb/1026133

5. References

   CVE numbers
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4295
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4296
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4297
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4294

- ------------------------------------------------------------------------

6. Change log

2010-12-02  VMSA-2010-0018
Initial security advisory after release of Workstation 6.5.5,
Player 2.5.5, Fusion 2.0.8 and Fusion 3.1.2 on 2010-12-02, ESX patches
and Workstation 7.1.2 and 7.1.3 were released previously.

- -----------------------------------------------------------------------
7. Contact

E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

This Security Advisory is posted to the following lists:

  \* security-announce at lists.vmware.com
  \* bugtraq at securityfocus.com
  \* full-disclosure at lists.grok.org.uk

E-mail:  security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055

VMware Security Center
http://www.vmware.com/security

VMware Security Advisories
http://www.vmware.com/security/advisories

VMware security response policy
http://www.vmware.com/support/policies/security\_response.html

General support life cycle policy
http://www.vmware.com/support/policies/eos.html

VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos\_vi.html

Copyright 2010 VMware Inc.  All rights reserved.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)

iEYEARECAAYFAkz4k+0ACgkQS2KysvBH1xkwLQCfaxJEaZ/nBDWpl0Pz3a3jBib1
0g0AmwfzyLSLYGEGt0RqmlYUy4vgD2bv
=SgRb
-----END PGP SIGNATURE-----

*   Previous message: \[Security-announce\] VMSA-2010-0017 VMware ESX third party update for Service Console kernel
*   Next message: \[Security-announce\] VMSA-2010-0019 VMware ESX third party updates for Service Console
*   **Messages sorted by:** \[ date \] \[ thread \] \[ subject \] \[ author \]

More information about the Security-announce mailing list

CVE-2010-4295: [Security-announce] VMSA-2010-0018 VMware hosted products and ESX patches resolve multiple security issues

Overview
This advisory is a follow-up to ICS-ALERT-10-305-01 RealFlex RealWin Buffer Overflows, which was published on the ICS-CERT Web site on November 01, 2010.
On October 15, 2010 an independent security researcher posted informationResearcher, http://aluigi.altervista.org/adv/realwin1-adv.txt, website last visited November 4, 2010.  regarding vulnerabilities in RealFlex Technologies Ltd. RealWin SCADA software products. The security researcher’s analysis indicated that successful exploitation of these vulnerabilities can lead to arbitrary code execution and control of the system.
RealFlex Technologies has validated the researcher’s findings and released an updateRealFlex, http://csrealflex.com/cs/index.ssp, website last visited November 8, 2010. to resolve these issues. ICS-CERT has verified that the software update resolves the vulnerabilities highlighted by the researcher.
Affected Products
All RealWin versions up to and including Version 2.1.8 (Build 6.1.8) are affected by these vulnerabilities.
Impact
RealWin is used in small installations for a variety of applications including monitoring water pumping stations, reservoirs, and water treatment plants.
Exploitation of these vulnerabilities may result in remote code execution. Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their environment, architecture, and product implementation.
Background
RealFlex Technologies was established in 1982 and has offices in Limerick, Ireland; Houston, Texas; and Saratov, Russia. RealFlex Technologies products are used in more than 45 countries with primary sectors being power, oil and gas, water and wastewater, marine, transport, chemical, manufacturing, and telecommunications.
RealWin runs on Microsoft Windows platforms (2000 and XP). It can run on a single system or on multiple PCs connected through a TCP/IP network.
Vulnerability Characterization
Vulnerability Overview
According to the researcher’s report, the service listening on TCP Port 912 is vulnerable to multiple stack-based buffer overflows from specially crafted packets. The stack-based buffer overflows are caused by use of the “sprintf” and “strcpy” functions in the RealWin software.
Vulnerability Details
Exploitability
An attacker with an intermediate skill level could create code to exploit these vulnerabilities. Organizations should be aware that a MetasploitMetasploit, http://www.metasploit.com, website last visited November 8, 2010. module is available for these vulnerabilities and the researcher has also made his exploit code publicly available.
Mitigation
RealFlex has addressed these vulnerabilities with a software update available on the company’s web site.RealFlex, http://cs realflex.com/cs/index.ssp, web site last visited November 8, 2010.
RealWin customers who have any questions can contact RealFlex at security@realflex.com.
The following mitigations are recommended:
Update RealWin to Version 2.1.10 (Build 6.1.10).
Ensure that your firewall is restricting access to TCP port 912. RealWin does not require external access to port 912 as it is only used internally on the PC between the communication modules and theRealWin module.
Encourage asset owners to minimize network exposure for all control system devices. Critical control system and/or network devices should not directly face the Internet. Control system networks and remote devices should be located behind firewalls, and kept isolated from the business network. If remote access is required, secure methods such as Virtual Private Networks (VPNs) should be utilized, recognizing that VPNs are only as secure as the components at each end of the connection.
Refer to the Control System Security Program Recommended Practices section for control systems on the US-CERT web site. Several recommended practices are available for reading or downloading, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
As with all system changes, administrators should consult their control systems vendor prior to making any control system changes.
Organizations should follow their established internal procedures if any suspected malicious activity is observed and report their findings to ICS-CERT for tracking and correlation against other incidents. ICSCERT reminds organizations that proper impact analysis and risk assessment should be performed prior to taking defensive measures.

RealFlex RealWin Buffer Overflow

Overview
In July, ICS-CERT published an advisory and a series of updates regarding the Stuxnet malware entitled “ICSA-10-201 USB Malware Targeting Siemens Control Software.” Since then, ICS-CERT has continued analysis of the Stuxnet malware in an effort to determine more about its capabilities and intent. As the analysis has progressed, understanding of the malware sophistication has continued to increase.
Stuxnet makes use of a previously unpatched Windows vulnerability and a digitally signed kernel-mode rootkit. There have been two digital certificates used to sign this rootkit. The original certificate was revoked. Subsequently, a second variant was discovered in which the same rootkit was signed with a different key, which has also been revoked. With approximately 4,000 functions, Stuxnet contains as much code as some commercial software products. The complex code is object oriented and employs many programming techniques that demonstrate advanced knowledge in many areas, including the Windows operating system, Microsoft SQL Server, Siemens software, and Siemens PLCs. The malware also employs many advanced anti-analysis techniques that make reverse engineering difficult and time consuming.
ICS-CERT has identified that while USB drives appear to be a primary infection mechanism, Stuxnet can also infect systems through network shares and SQL databases. The Stuxnet malware stores dropped files in many locations on a target system. The infection mechanism is complex, and the exact files that may be dropped will vary depending on the system it is infecting. After infecting a system, the malware gathers extensive data from MS SQL server, Windows registry, and application software.
Once the malware has installed itself on a system, it employs many evasive techniques, including bypassing antivirus software, advanced process injection, hooking useful functions by kernel-mode rootkits, and the quick removal of temporary files. ICS-CERT is continuing to reverse engineer and analyze this malware. Because of the malware’s complexity, this work is expected to take some time.
Mitigation
--------- Begin Update B ----------
According to reports and analysis, Stuxnet uses a total of five vulnerabilities; one previously patched (MS08-067) and four zero-days. Two of the four zero-day vulnerabilities have been patched since Stuxnet’s discovery.
The first zero-day was addressed in MS10-046b on August 24th, 2010. The second and most recent zeroday vulnerability was addressed in MS10-061c: Vulnerability in Print Spooler Service Could Allow Remote Code Execution (2347290), released on Sept 14th, 2010. According to Microsoft, “This vulnerability in the Print Spooler Service is rated Critical for Windows XP and Important on all other affected platforms and is used by Stuxnet to spread to systems inside the network where the Print Spooler
service is exposed without authentication.”
The other two vulnerabilities are local escalation of privilege vulnerabilities that enable an attacker to gain full control of an affected system. According to an MSRCd post, one the vulnerabilities affects Windows XP and the other affects Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2. Microsoft is evaluating these vulnerabilities and will be releasing updates in future bulletins.
ICS-CERT recommends that control system owners and operators review system upgrades and consider applying available patches to mitigate the risks for Stuxnet infection. As with all system changes, administrators should consult their control systems vendor prior to making any system changes. On Sept 7th, Siemens also updated their support site to indicate that they were aware of 15 infections worldwide. According to Siemens, in none of the cases did the infection cause an adverse impact to the automation system.
---------- End Update B ----------
Implementing security measures and properly cleaning an infected system will help to mitigate the effects of the malware and overall risk of a successful Stuxnet infection. The following sections provide guidance that can be used by owners and operators to prevent or identify and remove the Stuxnet malware.
Preventing Infection
Microsoft Windows Update
Microsoft Security Bulletin MS10-046Microsoft Security Bulletin, http://www.microsoft.com/technet/security/Bulletin/MS10-046.mspx, website last accessed August 24, 2010. addresses the vulnerability used by Stuxnet to infect a system from a USB drive. Organizations affected by Stuxnet and running Siemens WinCC or Step7 software should follow Siemens recommendationsSiemens Product Support, http://support.automation.siemens.com/WW/view/en/43876783, website last accessed August 23, 2010. for applying the Microsoft update.
Stuxnet malware also references a Microsoft vulnerability that was addressed in MS08-067Microsoft Security Bulletin, http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx, website last visited August 25, 2010. although it is not yet clear how this vulnerability is used. ICS-CERT recommends that control system owners and operators review system upgrades and consider applying this patch if it has not already been applied. As with all system changes, administrators should consult their control systems vendor prior to making any system changes.
USB Policy and Usage
Because USB drives, sometimes known as thumb drives, are small, readily available, inexpensive, and extremely portable, they are popular for storing and transporting files from one computer to another. This convenience also poses a security concern. Stuxnet and other malware take advantage of USB drives to propagate. Organizations are encouraged to review internal company policies and establish protective technical measures to disable USB drives. ICS-CERT recommends reviewing the Control Systems Analysis Report “USB Drives Commonly Used As an Attack Vector against Critical Infrastructure”  for additional information on removable media and best practices.
Identifying and Removing the Stuxnet Malware
The overall sophistication of the Stuxnet malware cannot be overstated. Because of this complexity, cleanup procedures will vary. Some infections will be simple, while others involving Siemens products may be significantly more complex. Below are mitigation recommendations for two different system types:
Systems running Siemens software
Standard systems that are not running Siemens software.
Control system owners and operators should exercise caution and consult their control systems vendor prior to making any changes or using antivirus software. In addition, proper impact analysis and testing should always be conducted prior to making any changes to control systems.
With this caveat in mind, if current antivirus software identifies a system as being infected with Stuxnet malware, the following guidelines will aid in malware mitigation.
Infection of Systems Running Siemens Software
If Siemens SIMATIC WinCC or STEP 7 software is running on an infected system, then Siemens Customer Support and ICS-CERT should be contacted. Siemens recommends installing the Microsoft Patch running the SysClean tool, and installing the SIMATIC Security Update. The details of Siemens procedure are listed on the Siemens Product Support website.
A Stuxnet infection can be complicated and involve many changes to the infected system and possibly to attached PLC hardware. Control system owners and operators should be aware that although SysClean does remove a number of files, remnant artifacts may be left on a system after cleaning. Remnants can include new files, modified files (including WinCC project files), registry changes, and new or modified database tables.
SysClean appears to stop the malware from infecting USB drives. However, because of the complexity of this malware, it is not yet understood if these remnants could pose future problems.
ICS-CERT recommends working closely with Siemens Customer Support to determine whether to completely rebuild a compromised system or to clean it through manual and/or automated means. ICS-CERT will also provide support to organizations requesting additional guidance or analysis including onsite support where appropriate. ICS-CERT is continuing to collaborate with Siemens on this malware.
Because Stuxnet specifically targets Siemens’ systems, it will behave very differently on standard systems than it does on systems running Siemens software. Current analysis indicates that cleanup of standard systems will be less complicated than on a system with Siemens’ software installed.

Tag

#rce