ICS-CERT Publishes Three New Advisories

Today the DHS ICS-CERT published three new control system advisories affecting control system products from Advantech, Cogent and Siemens.

Advantech Advisory

This advisory reports on 5 different vulnerabilities in the Advantech WebAccess application. The vulnerabilities were reported by Dave Weinstein, Tom Gallagher, John Leitch, and others via the Zero Day Initiative (ZDI, but not currently listed on their ‘published advisories’ page). ICS-CERT notes that a new version of the application is available that corrects the problems but there is no indication that the reporting researchers have been given a chance to verify the efficacy of the mitigation efforts.

The vulnerabilities include:

• Stack-based buffer overflows (11 separate instances), CVE-2014-2364;

• Remote code execution, CVE-2014-2365;

• Password disclosure, CVE-2014-2366;

• Remote authentication bypass, CVE-2014-2367

• Unsafe ActiveX control marked safe for scripting, CVE-2014-2368

ICS-CERT reports that a moderately skilled attacker could use the publicly available exploits for these vulnerabilities to execute arbitrary code on the system. The advisory notes that the new version 7.2 corrects these deficiencies. The WebAccess site reports that the v7.2 available for download is ‘Trial Software’ and still has v7.1 available for free download without mention of these vulnerabilities.

Cogent Advisory

This advisory reports a code injection vulnerability in the Cogent DataHub application. The vulnerability was reported by John Leitch via ZDI (but again not currently listed there). A new version of DataHub is available that reportedly corrects these vulnerabilities, but there is no indication that Leitch has had an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could use the publicly available exploit to remotely execute arbitrary code.

In addition to making an updated version available for download, Cogent advises that an owner/operator could mitigate the vulnerability by:

• Disabling the web server component in their Cogent DataHub installation, or

• Configuring their network security to block access to the Cogent DataHub web server from untrusted locations.

Siemens Advisory

This advisory reports four vulnerabilities that relate to the OpenSSL software used by previously unreported Siemens applications. These vulnerabilities were self-reported by Siemens. Upgrades are available for some of the applications and Siemens has provided alternative mitigation measures for the others.

ICS-CERT reports that the four vulnerabilities include:

• A man-in-the-middle vulnerability, CVE-2014-0224; and

• Three separate improper input validation vulnerabilities, CVE-2014-0198, CVE-2010-5298, and CVE-2014-3470

NOTE: All of these CVE are existing OpenSSL vulnerability reports

The Siemens ProductCERT advisory reports that the updated versions of APE 2.0.2 and WinCC OA (PVSS) 3.12-P009 are available. Updates for the below listed products are being prepared, but the advisory provides alternative mitigation measures to be used in the interim.

• ROX 1: all versions (only affected if Crossbow is installed)

• ROX 2: all versions (only affected if eLAN or Crossbow is installed)

• S7-1500: all versions

• CP1543-1: all versions