Today the DHS ICS-CERT updated a two-month old HeartBleed advisory for the ABB 650 Series application and issued a new buffer overflow advisory for Yokogawa Centum products. Yokogawa also updated an earlier advisory that has not yet been noticed by ICS-CERT.
ABB HeartBleed Update
This advisory update provides notice that ABB has produced a maintenance Release (available through customer service) that mitigates the OpenSSL bug in the 650 Series application. ABB has also updated their Cyber Security Advisory for the HeartBleed bug in their equipment. Interestingly the ABB published advisory can’t make up its mind (at the top of page 2) if the CVSS Score is 5.0 or 4.8 (not that there is much difference). ICS-CERT reports a score of 5.0.
This advisory reports a single buffer stack overflow vulnerability in Yokogawa Centum products that was reported by Rapid7 in a coordinated disclosure. Yokogawa has produced a patch that mitigates the vulnerability but there is no indication in the advisory that Rapid7 has been able to verify the efficacy of the patch.
ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability to execute arbitrary code. Yokogawa reports that the vulnerability only is accessible when the Expanded Test Functions Package is in use.
A Yokogawa Update
While following the ICS-CERT link to the Yokogawa report referenced above, I noticed that the Company had also updated an earlier report about four buffer overflow vulnerabilities reported earlier. I don’t know why ICS-CERT is reporting on the update (yet?).
The new data in this update is found in the Table 1 list of affected products and fixes. It reports a newer patch for the CENTUM 3000, CENTUM VP, and Exaopc Server products that addresses both the earlier vulnerabilities and the one reported by ICS-CERT today. It also reports that earlier versions of ProSafe-RS that were earlier reported as having no patches available may now be corrected.