Tuesday, February 2, 2016

ICS-CERT Updates Siemens Advisory and Publishes Two New Advisories

Today the DHS ICS-CERT published an update for a Siemens advisory that was originally published on December 1st, 2015. Two new advisories were also published for vulnerabilities in control system components from GE and Sauter.

Siemens Update

This update updates the vulnerable device list to provide limiting version numbers. It also announces that firmware updates are now available for SIMATIC TIM 3V-IE, TIM 4R-IE, and CP 443-1 / CP 443-1 Advanced modules. Siemens is still working on updates for a number of other affected devices. Both of the recent updates to the Siemens Security Advisory are covered in today’s update.

As has become usual for ICS-CERT advisory updates, this updated was not listed on the ICS-CERT landing page, but it was reported on TWITTER®.

GE Advisory

This advisory describes twin vulnerabilities in the GE SNMP/Web Interface adapter. The vulnerabilities were reported by Karn Ganeshen. GE has produced a firmware update to fix the vulnerability in newer versions. There is no indication that Ganeshen has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Command injection - CVE-2016-0861; and
• Cleartext storage of sensitive information - CVE-2016-0862

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to execute arbitrary system commands.

The GE Product Security Advisory notes that these adapters are used with uninterruptable power supplies.

Sauter Advisory 

This advisory describes three vulnerabilities in the Sauter moduWeb Vision application. The vulnerabilities were reported by Martin Jartelius and John Stock of Outpost24. Sauter has produced a firmware update to fix the vulnerabilities. ICS-CERT reports that the researchers have validated the efficacy of the fix.

The vulnerabilities include:

• Insecure credential storage - CVE-2015-7914;
• Insecure transmission of credentials - CVE-2015-7915; and
• Cross-site scripting - CVE-2015-7916

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to gain system access and escalate privileges. 

No comments:

 
/* Use this with templates/template-twocol.html */