This afternoon the DHS ICS-CERT published three advisories for industrial control system vulnerabilities in systems from Siemens, Schneider and Saia Burgess Controls. ICS-CERT also announced an alternative method for notification of the release of advisories, alerts, and other publications.
This advisory describes an authentication bypass vulnerability in a number of Siemens SIMATIC Communications Processor devices. The vulnerability was reported by Lei ChengLin (Z-0ne) from the Fengtai Technologies’ Security Research Team. Siemens has produced a firmware update for one of the devices (SIMATIC CP 343-1) and the other updates are in the works. There is no indication that Lei has been provided the opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to perform administrative operations on the Communication Processor. Network access to Port 102/TCP is required and the Communication Processor’s configuration must be stored on its corresponding CPUs for the vulnerability to be exploited. Siemens notes that firewall functionality of Advanced-CPs must be turned off for port 102/TCP for the vulnerability to be exploited.
NOTE: This vulnerability was announced by Siemens on TWITTER last Friday.
This advisory describes eleven ActiveX code injection vulnerabilities (listed under a single CVE) in the Schneider ProClima F1 Bookview ActiveX control application. The vulnerabilities were reported through the Zero Day Initiative by Ariele Caltabiano and Fritz Sands ( Sands was mentioned in the Schneider advisory but not the ICS-CERT Advisory). Schneider has produced an update to mitigate these vulnerabilities but there is no indication that Caltabiano was provided the opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to modify arbitrary memory and lead to remote code execution.
Schneider reports that the vulnerabilities reside in the thermal calculation software.
Saia Burgess Controls Advisory
This advisory describes a hard-coded password vulnerability in the Saia Burgess Controls family of PCD controllers. The vulnerability was reported by Artyom Kurbatov. Saia has produced a new firmware version that mitigates the vulnerability and Kurbatov has validated the efficacy of the fix.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to gain administrative access to the target device and resources.
Saia cautions that the upgraded firmware will still not protect the PCD controllers if they are connected directly to the Internet. Their Security Rules document provides recommended details for protecting the security of these controllers.
You can now get ICS-CERT publications sent directly to your email via GovDelivery. Simply register for the service, click on which publications you want and wait for the emails. Publications from National Cyber Awareness System Mailing Lists and the Critical Infrastructure Cyber Community Voluntary Program (C3VP) are also available from this system.
DHS has tried these email notification systems for a number of their web sites. I’ve signed up for a bunch of them and the notifications seem to dry up after a while. Maybe this one will be different. Go ahead, give it a try; I did. We all take perverse pride in our inflated inboxes.