ICS-CERT: Koyo Ecom100 Multiple Vulnerabilities

Monday, April 16, 2012

Infosec Island Admin

7fef78c47060974e0b8392e305f0daf0

This Advisory is a follow-up to the ICS-CERT Alert titled “ICS-ALERT-12-020-05A— Koyo Ecom100 Multiple Vulnerabilities” that was originally published January 20, 2012, on the ICS-CERT web page and updated on Febrary 14, 2012.

ICS-CERT is aware of a public report of multiple vulnerabilities with proof-of-concept (PoC) exploit code affecting the Koyo ECOM100 Ethernet Module. This report is based on information presented by Reid Wightman during Digital Bond’s SCADA Security Scientific Symposium (S4) on January19, 2012. Vulnerability details were released without coordination with either the vendor or ICS-CERT.

A brute force password cracking tool has also been released that targets the weak authentication vulnerability in the ECOM series modules. This tool may greatly reduce the time and skill level required to attack a vulnerable system.

ICS-CERT has coordinated these vulnerabilities with Koyo, which has produced an updated firmware that resolves these vulnerabilities.

The following Koyo products and versions are affected:

DIRECTLOGIC DL205 SERIES PROGRAMMABLE LOGIC CONTROLLERS

• H2-ECOM (For DirectLogic DL205 Series Programmable Logic Controllers)
• H2-ECOM-F (For DirectLogic DL205 Series Programmable Logic Controllers)
• H2-ECOM100 (For DirectLogic DL205 Series Programmable Logic Controllers)

DIRECTLOGIC DL06 SERIES PROGRAMMABLE LOGIC CONTROLLERS

• H0-ECOM (For DirectLogic DL06 Series Programmable Logic Controllers)
• H0-ECOM100 (For DirectLogic DL06 Series Programmable Logic Controllers)

DIRECTLOGIC DL405 SERIES PROGRAMMABLE LOGIC CONTROLLERS

• H4-ECOM (For DirectLogic DL405 Series Programmable Logic Controllers)
• H4-ECOM-F (For DirectLogic DL405 Series Programmable Logic Controllers)
• H4-ECOM100 (For DirectLogic DL405 Series Programmable Logic Controllers)

IMPACT

Successful exploitation of these vulnerabilities may allow an attacker to load modified firmware, or to perform other malicious activities on the system.

Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.

BACKGROUND

Koyo is an international manufacturer of automation products and controllers including programmable logic controllers. AutomationDirect.com is a subsidiary of Koyo, and the exclusive distributor of Koyo programmable controllers for North America, South America, Australia, and Europe.

The Koyo ECOM100 Ethernet module is used to communicate between a PLC and the control system.

VULNERABILITY OVERVIEW

BUFFER OVERFLOW: This vulnerability exists because long string input to parameters will cause a buffer overflow, which may allow execution of arbitrary code. CVE-2012-1805 has been assigned to this vulnerability. MITIGATION: Koyo reports that this is resolved by the patch available for the ECOM modules listed in this Advisory.

WEAK PASSWORD REQUIREMENTS: This vulnerability exists because the ECOM modules only allow use of up to an 8-byte password for authentication. A brute force tool for exploiting this vulnerability has been released publicly. CVE-2012-1806 has been assigned to this vulnerability. MITIGATION: The patch does not change the password length, but it implements a lockout mechanism to mitigate this risk.

WEB SERVER CROSS-SITE SCRIPTING: This vulnerability exists because the web server allows malicious cross-site scripts. CVE-2012-1807 has been assigned to this vulnerability. MITIGATION: Koyo reports that this is resolved by the patch available for the ECOM modules listed in this Advisory.

WEB SERVER REQUIRES NO AUTHENTICATION: This vulnerability exists because the web server in the ECOM modules does not require authentication to perform critical functions. CVE-2012-1808 has been assigned to this vulnerability. MITIGATION: According to Koyo, the web server within the ECOM modules are limited to module configuration parameters. Web server authentication was not added to the module; however, the web server is now disabled by default. A configuration change is required to enable the web server.

UNCONTROLLED RESOURCE CONSUMPTION: This vulnerability exists because the ECOM web server does not properly restrict the size or amount of resources that are requested or could be influenced by an actor. This can lead to excessive resource consumption, affecting system performance. CVE-2012-1809 has been assigned to this vulnerability. MITIGATION: According to Koyo, the web server within the ECOM modules is limited to module configuration parameters. Resource management features were not added to the module; however, the web server is now disabled by default. A configuration change is now required to enable the web server.

EXPLOITABILITY: These vulnerabilities are all remotely exploitable.

EXISTENCE OF EXPLOIT: Public exploits are known to target these vulnerabilities.

DIFFICULTY: An attacker with a low to moderate skill level would be able to exploit these vulnerabilities.

MITIGATION

According to Automation Direct, the firmware for the ECOM family of Ethernet Products for the Koyo DirectLogic Series of PLCs has been updated to address these vulnerabilities; the update can be downloaded here: http://www.hosteng.com/.

AutomationDirect.com encourages all customers that use and purchase the above products to subscribe to the e-mail firmware notification services for e-mail notification services for future upgrades and updates. Users can subscribe to this notification system at http://notify.automationdirect.com/firmware/.

The full ICS-CERT advisory can be found here:

Source:  http://www.us-cert.gov/control_systems/pdf/ICSA-12-102-02.pdf

Possibly Related Articles:
15619
SCADA
Industrial Control Systems
SCADA Vulnerabilities Exploits Cross Site Scripting Buffer Overflow Brute Force ICS-CERT Industrial Control Systems Koyo Ecom100
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.