This afternoon the DHS ICS-CERT published four control system advisories for products from Honeywell (1) and Siemens (3). The Honeywell advisory had been previously released on the US CERT Secure Portal. Siemens had announced all three of these advisories last Friday on TWITTER.
This advisory describes a stack-based buffer overflow vulnerability in the Honeywell Uniformance Process History Database (PHD). The vulnerability was self-identified. Honeywell has produced a patch to mitigate the vulnerability.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to execute a denial of service attack.
This vulnerability was originally reported on the US CERT Secure Portal on March 10th, 2016. If you were keeping up with ICS-CERT activity on the Secure Portal you would already have had more than a month to figure out how to deal with this advisory.
Siemens Industrial Products Advisory
This advisory describes a DROWN vulnerability in a number of Siemens SCALANCE and ROX products. Patches are still in development. In the meantime, Siemens has provided a series of countermeasures to reduce the risk of this vulnerability.
ICS-CERT reports that it would be difficult to use one of the publicly available exloits to remotely exploit this vulnerability to decrypt intercepted TLS sessions.
NOTE: The initial DROWN vulnerability paper was published on March 1st, 2016.
NOTE: I have not seen any other ICS vendors reporting DROWN vulnerabilities. Nor has ICS-CERT issued anything on it to-date. It is highly unlikely that Siemens is the only vendor with vulnerable systems.
Siemens SCALANCE Advisory
This advisory describes a resource exhaustion vulnerability in the Siemens SCALANCE S613 firewall device. The vulnerability was apparently self-identified. Siemens will provide user specific mitigation measures for this vulnerability. There is no indication in either the ICS-CERT Advisory or the Siemens ProductCERT advisory that patches are forth coming for this vulnerability.
ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to execute a denial of service attack on the web server on the device.
Siemens glibc Library Advisory
This advisory describes a buffer overflow vulnerability in the glibc library of a number of Siemens products. Siemens has produced updates to mitigate this vulnerability in their ROX II and APE devices. Pending updates for other affected devices, Siemens provides suggested mitigation measures.
ICS-CERT reports that this vulnerability is remotely exploitable and exploits are publicly available, but crafting a working exploit would be difficult. A successful exploit could result in a denial of service condition. The Siemens ProductCERT advisory suggests that execution of arbitrary code could result from a successful exploit; noting that:
“In order to exploit the vulnerability, the attacker must be able to either trick a targeted host to resolve attacker-controlled domain names, to use attacker-controlled DNS servers for resolution, or to gain a privileged network position allowing him to capture and modify the affected device’s network communication.”
NOTE: This is another library based vulnerability that may be expected to affect products from other vendors as well.