This afternoon the DHS ICS-CERT published two new advisories reporting multiple vulnerabilities in systems from Schneider Electric and Siemens.
This advisory reports on two vulnerabilities reported in in Schneider Electric’s ETG3000 FactoryCast HMI Gateway by Narendra Shinde of Qualys Security. Schneider has produced a firmware update that mitigates the vulnerabilities. There is no indication in the advisory that Shinde was allowed to validate the efficacy of the update.
The two reported vulnerabilities were:
● Unauthenticated access - CVE-2014-9197; and
● FTP hardcoded credentials - CVE-2014-9198
ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to access to the HMI Gateway. ISC-CERT also reports that Shinde reported that default credentials also allow access to configuration files, but this is not counted as a ‘vulnerability’.
The advisory also reports that the firmware update does not actually change the FTP credentials; it merely disables the FTP. The Schneider ‘readme’ document accompanying the firmware updated download explains what functions are lost when the FTP is disabled. Schneider also notes that upon an ETG reboot the FTP is automatically re-enabled.
This advisory reports twin denial of service vulnerabilities in the SCALANCE X-300/X408 switch family. The vulnerabilities were reported by Déjà vu Security. Siemens has produced a firmware update that mitigates the vulnerabilities but there is no indication that Déjà vu Security has had the opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to execute a denial of service attack. Siemens reports that both vulnerabilities require network access and one of the vulnerabilities requires the attacker be able to sign in to the FTP server.
Missed Siemens Advisory
Readers who follow me on TWITTER® (@pjcoyle) know that yesterday when Siemens reported their SCALANCE vulnerability they also reported on their NTP vulnerability in their RuggedCom devices. This is the set of vulnerabilities reported by ICS-CERT back in December. Siemens reports that their ROX based devices may be affected by those vulnerabilities.
They report that they are working on updates for the affected products. Their current advisory does provide some interim mitigation measures that system owners can take while waiting for the updates to be made available.
I suspect that the reason that ICS-CERT did not report this particular Siemens vulnerability is that the original NTP Advisory ‘addressed the problem’. Unfortunately it looks like Siemens (and perhaps other vendors) may have to take additional actions to protect their systems beyond that recommended in the NTP Advisory.