This afternoon the DHS ICS-CERT published two updates to previously issued control system security advisories for products from Siemens and Infinite Automation. They also published a new advisory for a Siemens product.
Please note that neither update was identified on the ICS-CERT landing page. You would only have been notified of them by seeing them on TWITTER (Siemens here and Infinite Automation here). If you had signed up for ICS-CERT update emails you will likely receive them tomorrow. All of the ones that I have received to-date have come in the next day.
This update establishes the version numbers of the affected ROX II based products affected by the TLS POODLE vulnerability and announces that the firmware update for the ROX II devices is now available. All Siemens products affected by the vulnerability now have updates available.
The Siemens CERT announced their update last Friday morning on TWITTER.
Infinite Automation Update
This update announces the availability of a new version that mitigates all of the identified vulnerabilities, including the cross-site scripting vulnerability that the previous update did not address. The advisory reports that the researchers who identified the vulnerabilities have verified the efficacy of the fix.
Version notes for the latest version (2.7.0) are not yet available on the Infinite Automation web site.
This advisory describes four new vulnerabilities related to the NTP daemon in the Siemens RUGGEDCOM ROX-based devices. The vulnerabilities were apparently self-identified. Siemens has produced firmware updates to mitigate the vulnerabilities.
The vulnerabilities are:
• Authentication bypass issues - CVE-2015-7871; and
• Three input validation vulnerabilities - CVE-2015-7855, CVE-2015-7704, and CVE-2015-5300.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to affect the ability of the devices to properly update time.
These new NTP vulnerabilities do not appear to be directly related to the general NTP vulnerability issues that ICS-CERT addressed last year. What is not clear from this advisory is whether the vulnerabilities are found in just the RUGGEDCOM implementation of NTP or if this is also a problem that may affect devices from multiple manufacturers. I suspect that the vendors identified in the previous NTP advisory should probably check their implementations to see if their devices might also be affected.
The Siemens CERT announced their advisory last Friday morning on TWITTER.