This afternoon the DHS ICS-CERT published two updated
advisories for control system vulnerabilities in Sierra Wireless AirLink
products and various Siemens products. Both updates seem to be relatively minor
changes to the ICS-CERT document. ICS-CERT does not report on the new
information from Sierra Wireless, it just provides a link to the information.
Sierra Wireless
Update
This advisory was originally
published on January 8th, 2014 and has already been updated
once. The purpose of today’s update was to include a
link (.PDF download link) to an updated security advisory from Sierra
Wireless. The earlier Sierra Wireless publication noted that they would
investigate “methods to perform secure firmware updates remotely, and will
provide information on this method when available”. The latest update (from May
28th; I wonder why it took ICS-CERT so long to update their
advisory? I suspect that they were not informed by Sierra Wireless of the new
information) provides those “details”:
• “Directly attaching a PC running
the firmware update tool to the device via an Ethernet cable; or
• “Connecting to the device via VPN
and performing the update over the VPN tunnel.”
I can see why it would take five months to come up with
those useful techniques (SARCASM).
There is something even more interesting in the newest
version of the Sierra Wireless documents that ICS-CERT missed in their update.
To be fair, I also missed it in looking at the January Sierra Wireless
document. The ICS-CERT advisory is specifically targeted at the ‘AirLink Raven
X EV-DO product’. Sierra Wireless reports that the same vulnerability exists on
the ‘Raven X, Raven XE, Raven XT, PinPoint X, PinPoint XT and MP Products’.
The ‘PinPoint’ products are all listed as “Discontinued, Not
Supported” fortunately, the new mitigation measures will work just as well on
the older models so perhaps that is why their vulnerability was not reported by
ICS-CERT.
Siemens Vulnerability
Update
The new data in this update was not provided by Siemens, but
was more likely a response to a Siemens complaint about the wording in the
initial advisory that made it seem that there were specific exploits directed
at the Siemens products. ICS-CERT wrote in the original advisory (no longer
available on-line) that:
“Exploits that target these
vulnerabilities are known to be publicly available.”
While there are certainly HeartBleed exploits in play, we haven’t
heard anything that would specifically point to their use against the Siemens
products listed in this advisory (nor any ‘proof’ that they haven’t).
In any case ICS-CERT revised the wording to read:
“Exploits that target OpenSSL
vulnerabilities are publicly available. ICS-CERT is unaware of any OpenSSL
exploits that target Siemens’ products specifically.”
They are, of course, not saying that no one (sorry about the
double negative but it is important and an appropriate use in this context) has
specifically targeted these vulnerabilities in the Siemens products. That would
be impossible to prove. We can probably take small comfort in the assumption
that they probably would not have made this change if they had any reliable
information indicating a possible HeartBleed related compromise of a Siemens system.
BTW: Yesterday’s
advisories are now listed on the ICS-CERT landing page.
Posts
No comments:
Post a Comment