Thursday, September 12, 2013

ICS-CERT Publishes Siemens SCALANCE Advisory

Yesterday the DHS ICS-CERT published a control system security advisory for the Siemens SCALANCE X-200 switch family. The Web session hijack vulnerability was reported by Eireann Leverett of IOActive in a coordinated disclosure.

ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability to hijack a Web session due to insufficient entropy in the switch’s random number generator. This could allow an attacker to change device configurations.

ICS-CERT reports that Siemens has produced a firmware upgrade that remediates the vulnerability. There is no indication in the advisor or the Siemens-CERT advisory that Leverett or IOActive have verified the efficacy of the upgrade.

No comments:

/* Use this with templates/template-twocol.html */