This afternoon the DHS ICS-CERT published two new control system security advisories for products from Siemens, Eaton. It also published an alert for a publicly shared vulnerability in a Sierra Wireless product.
This advisory describes two vulnerabilities in the Siemens SICAM PAS (Power Automation System). The vulnerabilities were reported by Ilya Karpov and Dmitry Sklyarov of Positive Technologies. Siemens has produced a new version and instructions to mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.
The vulnerabilities are:
• Insufficiently protected credentials - CVE-2016-5848; and
• Information exposure - CVE-2016-5849.
ICS-CERT reports that a relatively unskilled attacker with local access could exploit the vulnerability to obtain sensitive information under certain conditions. The Siemens-CERT advisory reports that the attacker must have local access to the SICAM PAS system and certain database privileges or the database must be in a stopped state.
Siemens reported this vulnerability this morning on TWITTER®.
This advisory describes twin buffer overflow vulnerabilities in the Eaton ELCSoft programming software. The vulnerabilities were reported by Ariele Calgaviano via the Zero Day Initiative (ZDI). Eaton has released a revision to mitigate these vulnerabilities. There is no indication that Eaton has provided Calgaviano an opportunity to verify the efficacy of the fix.
The vulnerabilities are:
• Heap-based buffer overflow - CVE-2016-4509; and
• Stack-based buffer overflow - CVE-2016-4512.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to execute arbitrary code on the target system.
Sierra Wireless Alert
This alert describes three vulnerabilities in the Sierra Wireless AirLink Raven XE and XT gateways. The vulnerabilities were reported in a coordinated disclosure by Karn Ganeshen. Sierra Wireless has reported to ICS-CERT that these devices are end of life and no new firmware releases will be made available. Ganeshen released a public report on four vulnerabilities on the Full Disclosure site on June 22nd, 2016 after he was advised that no updates were planned by Sierra Wireless.
The four vulnerabilities reported by Ganeshen are:
• Weak credential management (not reported in ICS-CERT Alert);
• Ace Manager contains a global CSRF vulnerability;
• Sensitive information leakage via GET requests; and
• Unauthenticated access to directories + Arbitrary File Upload.
ICS-CERT reports that Sierra Wireless has provided written mitigation measures to reduce these vulnerabilities.
NOTE: ICS-CERT did report the name of the reporting researcher, but did not provide a link to the public report.