The Schneider ProClima vulnerability disclosures were another interesting case study on ICS security communications.
Security Week ran an article on them. As did Threatpost.
Interesting-ness #1
In communications from Schneider and DHS, there are two “vulnerabilities”, both classified as “Command Injection” (CWE-77), yet a total of five CVEs. I understand the reasons behind combining analysis in some cases, but am I the only one that thinks each CVE should serve exactly one vulnerability?
Interesting-ness #2
ProClima software would very rarely be found on an industrial network. It is enclosure design software. It helps engineers design control enclosures/cabinets so that they don’t get too hot. It could maybe, be on ICS engineer lap tops, but its fundamental purpose is not process control or process design — it is process control cabinet design!
Interesting-ness #3
CVSSv2 base score for these vulnerabilities is 10.0 (the highest score possible). The vulnerabilities are in ActiveX, so if it were on an ICS network (but it’s not — see #2 above) the vulnerable machine would still have to be surfing the public Internet to get infected. If your ICS machines can do that, then you have worse problems than some obscure ActiveX vuln. In short, the score here does a poor job of characterizing the potential impact to the actual process being controlled.
The reason I think these “small” analytical issues matter is that if we are really concerned about protecting critical infrastructure we have to communicate clearly. There is *virtually zero* potential process impact that results from successful exploitation of these vulnerabilities.
If you want to cut the hype and get solid ICS vuln analysis, then subscribe to Critical Intelligence ICS Core Intelligence Service.