Cyber Security Advisory

Similar documents
Cyber Security Advisory

SECURITY BULLETIN - HART Vulnerability in ABB Third Party Device Type Library

Security Advisory Relating to the Speculative Execution Vulnerabilities with some microprocessors

Xerox Mobile Print Solution

Security Advisory Relating to OpenSSL Vulnerability Heartbleed on Various Polycom Products

Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on the Cisco website at

Security Advisory Relating to the Speculative Execution Vulnerabilities with some microprocessors

February 2017 Version: 1.0. Xerox App Gallery 4.0 Information Assurance Disclosure

Polycom RealPresence Resource Manager System, Virtual Edition

Creating and Installing SSL Certificates (for Stealthwatch System v6.10)

Polycom RealPresence Resource Manager System

Polycom RealPresence Access Director System

Xerox Mobile Print Solution

Cisco Meeting Management

Polycom RealPresence Media Manager

CYAN SECURE WEB Installing on Windows

SCADAvantage Version Product update

Oracle Insurance Policy Administration Configuration of SAML 1.1 Between OIPA and OIDC

Tanium Network Quarantine User Guide


Stonesoft Firewall/VPN Express. Release Notes for Version 5.5.4

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

SAP Business One Integration Framework

Cloud Link Configuration Guide. March 2014

CA Adapter. CA Adapter Installation Guide for Windows 8.0

Quick Connection Guide

SafeNet Authentication Service

Device Management Basic HART DTM 6.0 Installation

Stonesoft Management Center. Release Notes for Version 5.5.1

Scan Report Executive Summary. Part 2. Component Compliance Summary Component (IP Address, domain, etc.):

Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

Product Support Notice

One Identity Starling Two-Factor Desktop Login 1.0. Administration Guide

Ruckus Wireless Security Advisory ID FAQ

Oil and Gas SCADAvantage TM Product Update version 5.6.2

Oil and Gas SCADAvantage TM Product Update version ABB

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for Tableau Server

SonicWall Secure Mobile Access

Security Advisory IP Camera Vulnerability December

Polycom Updater Release Notes Applies to SoundStation IP 6000 and IP 7000

Polycom RealPresence Access Director System, Virtual Edition

1.0. Quest Enterprise Reporter Discovery Manager USER GUIDE

VSP16. Venafi Security Professional 16 Course 04 April 2016

Workshop 4 Installation INSTALL GUIDE. Document Date: February 4 th, Document Revision: 1.1

Quest Collaboration Services 3.6. Installation Guide

Product Support Notice

Price List Utilities. For Dynamics CRM 2016

Veeam Cloud Connect. Version 8.0. Administrator Guide

StorageGRID Webscale NAS Bridge Management API Guide

Product Release Information

October J. Polycom Cloud Services Portal

Dell SonicWALL SonicOS 5.9 Upgrade Guide

KACE GO Mobile App 5.0. Release Notes

Veritas NetBackup Appliance Security Guide

December A. Before You Begin...3

Polycom Updater Release Notes

Interdomain Federation for the IM and Presence Service, Release 10.x

CA Adapter. Installation and Configuration Guide for Windows. r2.2.9

System 800xA Public Address System User Manual

HPE Enterprise Integration Module for SAP Solution Manager 7.1

Integration Guide. SafeNet Authentication Client. Using SAC CBA for VMware Horizon 6 Client

Installation and Configuration Guide for Visual Voic Release 8.5

One Identity Starling Two-Factor HTTP Module 2.1. Administration Guide

April Understanding Federated Single Sign-On (SSO) Process

Polycom RealPresence Access Director System

Cloud Access Manager SonicWALL Integration Overview

SonicWall Secure Mobile Access

The Privileged Appliance and Modules (TPAM) 1.0. Diagnostics and Troubleshooting Guide

Stonesoft SSL VPN. Release Notes for Version 1.5.3

Tanium Protect User Guide. Version 1.0.7

Veritas NetBackup Appliance Security Guide

KACE GO Mobile App 4.0. Release Notes

KACE GO Mobile App 5.0. Getting Started Guide

DISCLAIMER COPYRIGHT List of Trademarks

SonicWall Web Application Firewall 2.0. AWS Deployment Guide

Authenticating Devices

KACE GO Mobile App 3.1. Release Notes

SonicWall SonicOS 5.9

Server Installation Guide

Application Note Using SiteManager as Web Proxy And/or Mail Relay Server

StoneGate SSL VPN Release Notes for Version 1.2.0

Xerox Mobile Print Cloud Information Assurance Disclosure. Software Version 3.1 March P03595

BLUEPRINT TEAM REPOSITORY. For Requirements Center & Requirements Center Test Definition

Cloud Security Standards

Release Notes. Dell SonicWALL SRA Release Notes

CS 356 Operating System Security. Fall 2013

Cloud Security Standards and Guidelines

SonicWall Secure Mobile Access SMA 500v Virtual Appliance 8.6. Getting Started Guide

CA Single Sign-On and LDAP/AD integration

CloudLink SecureVM. Administration Guide. Version 4.0 P/N REV 01

Application notes for supporting third-party certificate in Avaya Aura System Manager 6.3.x and 7.0.x. Issue 1.3. November 2017

StoneGate SSL VPN. Release Notes for Version 1.4.5

Symantec Endpoint Protection Integration Component User's Guide. Version 7.0

Cisco Expressway Authenticating Accounts Using LDAP

Security Guide SAP Supplier InfoNet

VeriSign Managed PKI for SSL and Symantec Protection Center Integration Guide

Cloud Security Standards Supplier Survey. Version 1

Policy Manager for IBM WebSphere DataPower 7.2: Configuration Guide

Tanium Discover User Guide. Version 2.5.1

CA Agile Central Installation Guide On-Premises release

Transcription:

Ellipse201703 2017-11-27 English 1.0 1/7 Ellipse8 Security Vulnerability ABBVU-PSSW-201703 Update Date: 11/21/2017 Notice The information in this document is subject to change without notice, and should not be construed as a commitment by ABB. ABB provides no warranty, express or implied, including warranties of merchantability and fitness for a particular purpose, for the information contained in this document, and assumes no responsibility for any errors that may appear in this document. In no event shall ABB or any of its suppliers be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, or from the use of any hardware or software described in this document, even if ABB or its suppliers have been advised of the possibility of such damages. This document and parts hereof must not be reproduced or copied without written permission from ABB, and the contents hereof must not be imparted to a third party nor used for any unauthorized purpose. All rights to registrations and trademarks reside with their respective owners. Affected Products Ellipse 8.3 Ellipse 8.9 (including Ellipse Select) Vulnerability ID ABB ID: ABBVU-PSSW-201703 Summary ABB is aware of a security vulnerability in the product versions listed above.this would require the attacker to have access to the local network.

Ellipse201703 2017-11-27 English 1.0 2/7 An attacker who successfully exploited this vulnerability could discover authentication credentials by sniffing network traffic. ABB is providing resolution to this vulnerability with product release versions 8.5.26-8.9.6 that will be made available December 5-7, 2017. ABB strongly recommends that customers apply the update as soon as they are able. Vulnerability Severity The severity assessment has been performed by using the FIRST Common Vulnerability Scoring System (CVSS) for CVSS v3. The CVSS Environmental Score, which can affect the vulnerability severity, is not provided in this advisory since it reflects the potential impact of a vulnerability within the end-user organizations computing environment; end-user organizations are therefore recommended to analyze their situation and specify the Environmental Score. Note: This is not a vulnerability specific to Ellipse, but rather risk introduced by the implementation of LDAP. The CVSS score reflects this risk. CVSS v3 Base Score: 6.5 CVSS v3 Temporal Score: 6.0 CVSS v3 Vector: AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:F/RL:O/RC:C/C R:H: CVSS v3 Link: https://www.first.org/cvss/calculator/3.0 Corrective Action or Resolution ABB is providing resolution to this vulnerability in order to provide adequate protection to customers. The problem is corrected in the following product versions: Ellipse 8.5.26 Release 7 Dec 2017 Ellipse 8.6.21 Release 5 Dec 2017 Ellipse 8.7.18 Release 7 Dec 2017 Ellipse 8.8.12 Release 7 Dec 2017 Ellipse 8.9.6 Release 7 Dec 2017

Ellipse201703 2017-11-27 English 1.0 3/7 ABB is currently working on a solution for customers that deploy Ellipse 8.3/4. If a customer has plans to upgrade, the vulnerability will be address in that version. ABB will notify the Ellipse 8.3/4 customers once it is determined whether a solution is available on their release or whether an upgrade will be required. ABB strongly recommends that customers apply the update as soon as they are able. Vulnerability Details A vulnerability exists in the authentication of Ellipse to LDAP/AD using the LDAP protocol included in the product versions listed above. An attacker could exploit the vulnerability by sniffing local network traffic and discovering authentication credentials. A change has been made to the affected Ellipse versions to secure this authentication over LDAPS between the Application Server and the LDAP/AD server. Note: an attacker would first have to gain access to the local network in order to exploit this vulnerability. Mitigating Factors Recommended security practices and firewall configurations can help protect a process control network from attacks that originate from outside the network. Such practices include that process control systems are physically protected from direct access by unauthorized personnel, have no direct connections to the Internet, and are separated from other networks by means of a firewall system that has a minimal number of ports exposed, and others that have to be evaluated case by case. Process control systems should not be used for Internet surfing, instant messaging, or receiving e-mails. Portable computers and removable storage media should be carefully scanned for viruses before they are connected to a control system. Workarounds ABB has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they can help block known attack vectors. When a workaround reduces functionality, this is identified below as Impact of workaround.

Ellipse201703 2017-11-27 English 1.0 4/7 Enabling LDAPS authentication on the Ellipse Appliance Introduction Ellipse performs external host authentication by using the LDAP protocol for communication with Active Directory or other Directory Services. Standard LDAP traffic (port 389) is not encrypted, and sensitive account information travel between the Ellipse application server and the LDAP server. A change is required to support encryption of authentication information traveling between Ellipse and the External Authentication Service. Please note, this technical note does not cover encryption of traffic between Ellipse and Web Clients, for which support of SSL encryption is already available and documented. Implementation (Appliance) JBOSS has the ability to establish an LDAPS secure connection with AD, provided that an SSL certificate is shared between the authentication server implementing LDAP and Ellipse. A change was made to the Deployment Infrastructure code running on the appliance so that a certificate (and optional CA chain certificate) can be entered as an Environment parameter in VEAM and passed to the JBOSS server running Ellipse, via the appliance's internal automation. Following, steps required to implement this solution. Please note, a manual procedure step is also provided for those customers who require LDAPS encryption but haven't updated their appliances to the latest infrastructure. Step 1: Enable LDAPS on the Active Directory service, "Directory Naming Provider" (common) The AD domain controller (or other directory service) will need to be loaded with a valid certificate and private key. Documentation of that step is out of scope of this document. A good guide is the following link. https://www.petri.com/enable-secure-ldap-windows-server-2008-2012-dc Please note: similarly to the standard LDAP implementation, LDAPS handshaking over SSL occurs only between the Ellipse server and an LDAP server specified in the "Directory Naming Provider" field. Step 2: Add certificate to environment properties in VEAM (automatic procedure) Two new text fields are now available in VEAM, both at the Site and Environment level. Similar to the SSL certificates needed to enable HTTPS traffic, these fields are plain text, and should be loaded with PEM, Base64 encoded certificates. Please note: unlike SSL Server Certificates for HTTPS, a private key is not required for the handshaking.

Ellipse201703 2017-11-27 English 1.0 5/7 Please note that the Directory Naming provider will need to reflect the new LDAPS URL. Standard port for LDAPS traffic is normally 636. The certificate text is to be entered as standard Base64 encoding (PEM format), the same as the standard HTTPS certificates used for Ellipse. Once these parameters are set, an environment should be redeployed to make sure Ellipse can establish an encrypted LDAPS connection. Step 2 alt: Add certificate to JBOSS (manual procedure) This procedure should be performed when VEAM support for LDAPS certificates is not available but LDAP traffic encryption is required. In VEAM, enter the "ldaps:" URL, as shown in the screenshot before, even if the LDAPS certificate fields are not shown. Save and Submit, to redeploy the environment. Once the Ellipse servers are deployed, use your file transfer method of choice to transfer the certificate(s) to the Ellipse virtual server, in PEM format. Connect to the Ellipse server, and issue the following commands to load the certificates to the Java keystore: o service ellipse stop o export JAVA_HOME=/usr/java/default o export PATH=$JAVA_HOME/bin:$PATH o keytool -importcert -file [path_to_cert_file] -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -noprompt - alias ldaps

Ellipse201703 2017-11-27 English 1.0 6/7 o o (repeat for CA certificate if required) service ellipse start Troubleshooting In general, to troubleshoot Ellipse LDAPS issues, the following steps should be performed on the Ellipse VM experiencing failures. 1- Add option " -Djavax.net.debug=ssl,handshake" to JAVA_ARGS in the JBOSS options definition file, /etc/jboss-as/ellipse.conf 2- Restart JBOSS 3- Reproduce the Login Error 4- Collect diagnostic information by running CSI gather 5- Send to ABB for further analysis Conclusion This concludes the steps required to implement encrypted LDAP handshaking. Implementing the solution involves a step to enable LDAPS by uploading and sharing a known certificate. Implementation and troubleshooting requires a good knowledge or Active Directory, the Domain Controller, and supported protocols. It is important to note that this solution is only to enable encryption between the Ellipse Server and the Directory Naming service and does not change or enhance the information exchange between the two parties in any way or form. Frequently asked questions What is the scope of the vulnerability? An attacker who successfully exploited this vulnerability could discover authentication credentials by sniffing local network traffic between Ellipse and the LDAP/AD server. What causes the vulnerability? The vulnerability is caused by the use of unsecured protocols between Ellipse Application Server and the LDAP/AD Server What is the affected product? Ellipse 8.3 Ellipse 8.9 (including Ellipse Select) What might an attacker use the vulnerability to do?

Ellipse201703 2017-11-27 English 1.0 7/7 An attacker who successfully exploited this vulnerability log in to network systems with stolen credentials. Could the vulnerability be exploited remotely? No, to exploit this vulnerability an attacker would need to have to the local network. What does the update do? The update removes the vulnerability by modifying the way that the Ellipse Application will use LDAPS for authentication. When this security advisory was issued, had this vulnerability been publicly disclosed? No, ABB received information about this vulnerability through responsible disclosure. When this security advisory was issued, had ABB received any reports that this vulnerability was being exploited? No, ABB had not received any information indicating that this vulnerability had been exploited when this security advisory was originally issued Support For additional information and support please contact your local ABB service organization. For contact information, see http://new.abb.com/enterprisesoftware/services/maintenance/support. Information about ABB s cyber security program and capabilities can be found at www.abb.com/cybersecurity.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback