Christmas is just around the corner, but for many IT security professionals, the holiday is a source of worry rather than wonder: Security vulnerabilities are often leveraged by cybercriminals determined to make the most of lower staffing levels and existing network issues. Topping this year’s Christmas hit list are three flaws that, if left unchecked, pose a serious risk for enterprises. Here’s a wrap-up.
PLC Problems
As noted by SecurityWeek, a host of vulnerabilities have been found in Schneider Electric’s Modicon M340 programmable logic controller (PLC) products, which are midrange devices popular in manufacturing, transportation, electrical equipment and water automation. Thirteen models are affected by CVE-2015-7937, a buffer overflow that occurs when a random password of 90 to 100 characters is entered into the PLC’s Web server access point. Since the password character buffer is capped at 65 characters using the strcpy() function, any overruns cause the device to crash.
CTO Nir Giller of security research firm CyberX, who is credited with discovering the vulnerability, said it may also be possible to construct a special password that could remotely execute code on the server. Schneider released firmware updates on Dec. 15 and plans to roll out another set on Jan. 16, but CyberX hasn’t confirmed whether the new firmware solves the problem. In the meantime, companies are advised to block port 80 with a firewall to minimize risk.
Impacted Industrial Routers
Next up are eWon industrial routers designed to securely connect industrial machines to the Internet; the devices are used in industries such as transportation, textiles, robotics, oil and gas, medical and renewable energy. According to ICS-CERT, independent security researcher Karn Ganeshen discovered the security vulnerabilities, which affect all eWon devices running firmware prior to version 10.1s0. The more worrisome issue — assigned a severity score of 9.9 by ICS-CERT — is CVE-2015-7926, which allows attackers using forged URLs to gather information about I/O servers, change server configuration or even delete users.
Cleartext passwords (CVE-2015-7928) are also a problem since they allow for a man-in-the-middle (MitM) attack to intercept this data, while some pages in the eWon Web app use an autocomplete feature that exposes passwords. There’s also a session management issue that allows sessions to remain active even after users log off: Only closing the browser will invalidate the session.
Security Vulnerabilities in Outlook Overlooked
The last big holiday security hole comes from Microsoft Outlook. As noted by Ars Technica, Microsoft patched the flaw (CVE-2015-6172) — known as BadWinmail — during its Dec. 8 Patch Tuesday, but details have now emerged about the real danger of this vulnerability. It goes like this: While Outlook is designed to prevent malicious attacks from files attached to seemingly benign emails using its Protected View sandbox, security researcher Haifei Li found a way to attach malware and sneak it past Microsoft’s security bouncers.
Using the Transport Neutral Encapsulation Format (TNEF) to attach a *.dat file, usually named winmail.dat, Li found it was possible to include an OLE object in the winmail.dat file that automatically loads when an email is opened. More worrisome? If this malicious email is the newest in a user’s inbox, the malware executes as soon as Outlook is launched.
What’s more, using TNEF makes it possible to deliver a malicious payload using the *.msg format, which is considered safe by Outlook. It’s no wonder, then, that the Ars Technica piece described BadWinmail as a letterbomb exploit, while Li called it “The Enterprise Killer.” While it should now be patched thanks to Microsoft, it’s worth keeping an eye on Outlook over the holiday season.
For many IT security professionals, the No. 1 goal is getting through New’s Years without experiencing a major breach or server crash. These three security vulnerabilities can put that plan in jeopardy, however. To avoid a less-than-happy holiday, make sure network security is wrapped up with firmware updates, firewall blocks and the latest Microsoft patch.