Late this afternoon the DHS ICS-CERT published a new advisory for the Siemens’ SICAM MIC telecontrol device and updated an earlier advisory for the Schneider OFS server. As of 17:20 CDT only the Siemens advisory is listed on the ICS-CERT landing page but the Schneider update is on the ICS-CERT site. I heard about it from an @ICS-CERT tweet just about 20 minutes ago.
This advisory updates an earlier advisory released on May 21st. For some reason I don’t have a copy of the original advisory, but it appears that Ivan Sanchez and Schneider found out that the original vulnerability had some sort of synergistic effect (the CVSS score went from 5.0 to 6.6) when the OFS Server was being run in conjunction with Vijeo Citect/CitectSCADA software.
It looks like Schneider is treating this as a separate vulnerability. ICS-CERT reports that Schneider has developed “additional patches that mitigates additional vulnerabilities”, but they don’t describe those ‘additional vulnerabilities’.
Schneider released this on their secure server on May 29th and publicly released it on June 30th.
This advisory describes an authentication bypass vulnerability in the Siemens SICAM MIC telecontrol device. The vulnerability was originally reported by Philippe Oechslin from Objectif Sécurité. Siemens has produced a firmware update to mitigate the vulnerability, but there is no indication that Oechslin has been given an opportunity to verify the efficacy of the fix.
ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability to perform administrative functions on the device. ICS-CERT reports that network access to the web interface is required and an authorized user must be logged on to the web server when the attack is initiated.