This afternoon the DHS ICS-CERT published two new advisories for control system vulnerabilities in systems from Siemens and PACTware.
This advisory describes a handling of exceptional conditions vulnerability in PACTware Consortium’s PACTware application. The vulnerability was reported by Ivan Sanchez from Nullcode Team. PACTware has produced a service pack for the application and ICS-CERT reports that Sanchez has verified the efficacy of the fix.
ICS-CERT reports that a social engineering attack would have to be used to convince an operator to load and run a specially crafted file.
ICS-CERT reports that the new version (Service Pack 3) can be downloaded from the PACTware Consortium site. There are actually seven different companies using that web site to distribute PACTware 4.1. But only one of the seven companies, KROHNE Messtechnik GmbH, listed on the site clearly has 4.1 SP3 available for download. I could not find the PACTware download on two of the sites and the other four did not list either version numbers or SP numbers.
This advisory describes a cross site scripting vulnerability in the Siemens Climatix BACnet/IP communication module. The vulnerability was reported by Juan Francisco Bolivar Hernandez. Siemens has produced a firmware update to mitigate the vulnerability. There is no indication that Hernandez was given an opportunity to verify the efficacy of the fix.
ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability.
The Siemens advisory on this vulnerability notes that the new firmware version has an additional security improvement; web server authentication is enabled by default.