On April 5, 2012, ICS-CERT issued an advisory regarding buffer overflows in the COM and ActiveX scripting interfaces to the ABB WebWare Server application discovered by Billy Rios and Terry McCorkle. Threatpost also covered the advisory as a follow up to previous coverage of Rios’ and McCorkle’s “100 Bugs in 100 Days” project.
At first glance, it would be easy to be perplexed or outraged that a software vendor would refuse to provide a patch for a security issue. The reality is that this happens quite often, even with the largest of software vendors. Reviewing Tipping Point’s Zero Day Initiative (ZDI) “Upcoming Advisories” shows that large vendors such as Microsoft, Adobe, Hewlett-Packard, and even GE have known security vulnerabilities which have gone unpatched over 150 days. In 8 cases, ZDI lists advisories which have remained unpatched for over 300 days. Even Digital Bond’s web site lists the number of days since “Siemens Has Not Fixed Stuxnet S7 Vulns” at over 570 days.
Once you get over your initial reaction, you may realize that choosing not to patch is a viable option, given the circumstances, for a security advisory. In ABB’s case, the company notes that the WebWare Server (and associated products) are “legacy products nearing the end of their life cycle that are no longer actively supported.”
Almost all product vendors plan some limited lifespan for their products, and some companies even do a good job of communicating that lifespan to customers. When a product vendor receives notice that a security vulnerability is present for their product, the vendor then has to ask itself many different questions. For example:
- Is the product patchable?
- Is there more risk in patching the vulnerability then leaving it exposed?
- Do we have a migration or upgrade to mitigate the vulnerability?
- Is the amount of effort to mitigate the vulnerability worth the effort given the remaining lifespan of the product?
- Is the vulnerability exploitable and how likely is that?
- Are there compensating mitigations available? For example firewall rules, Intrusion Prevention or Whitelisting technologies.
One thing we know for sure is that the ICS vendors need to learn is that no response is a bad response. In the case of ABB, their response was not to patch and that’s ok – they provided a response that’s a good thing. In addition, ABB provided a contact email address for concerned customers to ask questions regarding cyber security. ABB provided a clear answer to the patch question and a path forward for customers.
As part of operational planning, asset owners determine the acceptable lifetime of a process and its associated parts. When as asset owner’s planned lifetime stretches past that of the vendor’s planned lifetime, the asset owner needs to be aware that the product may be left in an unsupported state and take appropriate measures to implement mitigations and plan for a process refresh. Industrial Defender has several mitigation solutions for this type of situation and anyone with legacy vulnerable products is encouraged to contact Industrial Defender to determine the best solution to monitor, manage and protect their existing infrastructure.