ICS-CERT Updates Bash and Siemens OpenSSL - Issues Pyxis Advisory

Today the DHS ICS-CERT published four documents concerning vulnerabilities in control systems. One is actually a correction to yesterday’s Siemens OpenSSL update. Then they updated the BASH advisory and issued a supplement to that advisory. Finally they published a new advisory for a medical supply system with multiple vulnerabilities.

Siemens OpenSSL Update

Yesterday ICS-CERT published an update for the Siemens OpenSSL advisory that reported that all affected systems had updates available. Today they are reporting that what Siemens actually said was that a new update was available for ROX 2-based devices. And it reports that Siemens is still working on an update for ROX 1.

Oops, no, they got it wrong again. According to the Siemens ProductCERT advisory, the newest update only affects ROX V2.6.0 with Crossbow V4.2.3.  There are three products listed by Siemens that do not currently have updates available:

• APE 1 with eLAN installed: All versions <= 1.0.1;

• ROX 1: All versions (only affected if Crossbow is installed);

• ROX 2 with eLAN installed: All versions < V2.6.0

Sorry. I did not read the Siemens ProductCert advisory on this yesterday; I trusted ICS-CERT to get it right. Well, maybe they’ll get it right tomorrow. And that will be version ‘F’ when we should still be on version ‘C’. Oh well….

BASH Advisory Update and Supplement

Back in September ICS-CERT published a brief advisory on the Bash command injection vulnerability. I was kind of busy at the time and didn’t write about their advisory because much more complete information was readily available elsewhere. Well, today the published an update to that advisory that was not much better. The only change was the addition of the following paragraph:

“ICS-CERT sent out a query to vendors we have collaborated with in the past. Many have responded back with information about which products are affected by this bash vulnerability. ICS-CERT created a supplement to this advisory that contains this information. It can be found at the following web location: https://ics-cert.us-cert.gov/advisories/Supplement-ICSA-14-269-01. This supplement will be updated with additional information as it becomes available, without updating this advisory.”

So now we have a new ICS-CERT document that will be periodically updated so they don’t have to update the advisory so often??? Okay, what ever.

Okay, the supplement provides some useful information. First it provides a list of companies that have responded to ICS-CERT inquiries about potentially vulnerable systems. Then it provides a list of vulnerable systems (by vendor) with links to further information. It is not clear that systems from vendors on the first list that are not listed on the second list are actually not vulnerable. I think that that may be a dangerous assumption to make. In any case, selected products from the following vendors are reportedly at least potentially vulnerable:

• ABB;

• Cisco;

• Digi;

• eWON;

• Meinberg;

• Moxa;

• Red Lion (pardon me; use bash shell but “are not considered to be vulnerable or exploitable”; and

• Siemens (okay, this lets them off the hook for not mentioning the Siemens ProductCERT advisory yesterday).

Pyxis Advisory

NOTE: This is for a medical supply control system, not really an industrial control system, but hey the FDA won’t touch this and ICS-CERT doesn’t have anything else going on right now….

This advisory is for multiple authentication vulnerabilities in the CareFusion Pyxis SupplyStation reported by Billy Rios. CareFusion has produced a new version of the software that mitigates three of the four vulnerabilities. No mention if Billy was given the chance to verify the efficacy of the fix.

ICS-CERT reports that the vulnerabilities are:

• Hard-coded password, CVE-2014-5422;

• Hard-coded credentials, CVE-2014-5421 and CVE-2014-5420; and

• Insecure temporary files, CVE-2014-5423

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to manipulate the locking controls on the automated medical supply cabinets. I don’t expect that these are used to dispense narcotics or else the DEA would be involved.

CareFusion reportedly will not be offering a fix to one of the hard-coded credential vulnerabilities because it would only allow access to some application files, but not the physical access controls. That would seem to be a reasonable risk assessment decision if it was made by the system owner, not the manufacturer. Good news, it will be fixed in future versions.