Security researchers found 14 vulnerabilities in Gemalto Sentinel hardware tokens, which could allow dangerous ICS attacks, including full-system takeover.
A long disclosure and remediation process between security researchers and a hardware token vendor resulted in patches for dangerous flaws that could have led to attacks on critical infrastructure.
Researchers from Kaspersky Lab Industrial Control System Cyber Emergency Response Team (ICS CERT) said they decided to investigate Gemalto Sentinel USB tokens after penetration tests showed the "solution provides license control for software used by customers and is widely used in ICS and IT systems."
"The solution's software part consists of a driver, a web application and a set of other software components. The hardware part is a USB token. The token needs to be connected to a PC or server on which a software license is required," Kaspersky researchers wrote in a report. "From researchers' viewpoint, [the Gemalto Sentinel software] exhibited a rather curious behavior in the system: it could be remotely accessed and communicated with on open port 1947. The protocol type was defined by the network packet header -- either HTTP or a proprietary binary protocol was used. The service also had an API of its own, which was based on the HTTP protocol."
Kaspersky ICS CERT ultimately found 14 vulnerabilities in Gemalto SafeNet Sentinel tokens, the most critical of which "can be used without local privilege escalation -- the vulnerable process runs with system privileges, enabling malicious code to run with the highest privileges."
Vladimir Dashchenko, head of the ICS CERT vulnerability research team at Kaspersky Lab, told SearchSecurity this issue needs attention, because "some of the ICS vendors use such license managers for SCADA [supervisory control and data acquisition] software."
"Some vulnerabilities that we found allow remote code execution, meaning an attacker can access someone else's computing device and make their own changes. For example, vulnerabilities can provide an attacker with the ability to execute malicious code and take complete control of an affected system with the same privileges as the user running the application," Dashchenko said via email. "Some vulnerabilities are denial-of-service (DoS) vulnerabilities that can stop vulnerable processes. However, in some cases, it could possibly cause denial of service for the machine."
Paul Brager Jr., technical product security leader at Houston-based Baker Hughes and former cybersecurity project manager focused on ICS at Booz Allen Hamilton, said the "potential implications and risks for ICS are not trivial."
"Open ports that allow remote interaction with engineering workstations or servers that run human machine interface or other process-oriented software licenses managed by this solution could lead to an impact to the software itself, the control assets that are managed by the software, or both," Brager told SearchSecurity. "Worst-case scenario is an impact to the processes that are being governed by the licensed solution -- some of which could be critical operating processes. Also, given the care that is required when patching, the risks could persist for some time."
Gemalto Sentinel disclosure and patching
The timeline of the disclosure and patching and issues with communication from Gemalto caught the researchers' attention. According to Kaspersky, the first set of vulnerabilities was reported to Gemalto in early 2017, but it wasn't until late June, "in response to our repeated requests," that Kaspersky received a reply.
Dashchenko clarified the timeline and noted that although Gemalto claimed it "notified all of its customers of the need to update the driver via their account dashboards, we were contacted by several developers of software that use this server, and it became clear they were not aware about the issue."
"We have informed and sent to the vendor information regarding all of the identified vulnerabilities. In early 2017, we sent information about 11 vulnerabilities, and in late June, the vendor informed us that a patch had been released and information about the vulnerabilities that had been closed, along with a new version of the driver, could be found on the company's internal user portal," Dashchenko said. "On June 26, we informed Gemalto of the suspicious functionality and of three more vulnerabilities. On July 21, the vendor released a private notice about a new driver version -- without any mention of the vulnerabilities closed."
Gemalto did not respond to requests for comment at the time of this post.
Dashchenko added that Gemalto Sentinel is a "very popular licensing solution," and noted that an advisory from Siemens listed 16 services that need patching against these issues.
Ken Modeste, global principal engineer at Underwriters Laboratories, based in Northbrook, Ill., said patching ICS is complex, so users may be wary of the Gemalto Sentinel issues.
The risk associated with either downtime or inadvertent failures ... will typically be too high for end users to accept.
Ken Modesteglobal principal engineer at Underwriters Laboratories
"Factory automation and connected control systems are vetted, tested, reliable systems. Deploying patches that have not seen significant runtime and test time can cause significant issues. Most of the implemented systems have requirements around safety, reliability and uptime. Therefore, deploying a patch to software or an embedded product can affect an operational system," Modeste told SearchSecurity. "The risk associated with either downtime or inadvertent failures associated with a patch of either the inherent device or software, or its interaction with other devices and software, will typically be too high for end users to accept."
Moreno Carullo, co-founder and CTO of Nozomi Networks, an ICS cybersecurity company headquartered in San Francisco, said patching is especially important, because "while blocking port 1947 is an option to mitigate the problem, it is also not a solution that is suited for all business processes."
"Blocking this port could result in the cessation of integral services, as well," Carullo told SearchSecurity. "ICS operators could have strong visibility into the network by applying technologies that are able to monitor the traffic passively to detect anomalies or suspicious activities. These technologies should also be integrated with the firewall to increase the needed visibility in such scenarios."
Brager said the risks of patching the Gemalto Sentinel issues "could be significant, given the pervasiveness of the SafeNet solution in both enterprise and OT [and] ICS environments."
"Particularly concerning is the pervasiveness of the solution in control system environments and what [that] could potentially mean for assets that leverage the SafeNet dongle solution to operate," Brager said. "In those instances, patching those systems can be a significant -- and time-consuming -- undertaking. Enterprise patching may not be nearly as complex and critical, but it, too, comes with its own sets of risks."
