9 April 2017

When I read the note about CVE-2017-6033 on LinkedIn and the related ICS Cert Advisory ICSA-17-094-01 on Wednesday morning my first thought was: Sounds like a really big issue if Schneider Electric recommends to upgrade to Windows 10 to solve this security issue with their Interactive Graphical SCADA System (IGSS) Software.

What happened: Someone identified a search path vulnerability in the IGSS software. This means that if an attacker manages to place e.g. a fake IGSS dynamic link library (DLL) in a path which is searched earlier than the default installation directory, then the fake DLL is executed instead of the version installed in the installation directory. Ok, this sounds really dangerous.

The CVSS V3 vector string for CVE-2017-6033 is (AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H).

The UI (User Interaction) is important in this case. UI:R (Required) means that

“Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited. For example, a successful exploit may only be possible during the installation of an application by a system administrator.”

In this case, the attacker must convince a user or administrator to copy a malicious DLL to a directory, which is searched earlier than the IGSS installation directory, to the computer where the IGSS software is installed.

To be honest, Schneider Electric’s recommendation for mitigation of this risk is somewhat oversized. End users should under no account fall into blind actionism and start migrating to Windows 10. The operational risk is far too high compared to the effort an attacker has to take to prepare the attack.

In this case, I would propose to simply make the users aware of the problem, and that’s it. If production networks are well designed and maintained and user awareness is high then there’s no need to run in the patch treadmill. To keep pace with this endless flood of patches pulls us away from doing the right and important things.

Have a good weekend.