Today the DHS ICS-CERT published updates for control system
advisories from Honeywell and Siemens. They also published two new control
system advisories and a medical control system advisory.
Honeywell Update
This update
explains that additional Honeywell processes in the same applications are affected
by the same vulnerability and mentions the researchers that reported the
vulnerability in those processes. It also provides version numbers for the affected
applications. The update also identifies the .DLL file that contains the source
of the vulnerability and reports that a replacement .DLL file has been made
available for all affected devices.
The original vulnerability was
reported in April. This update was actually published on July 12th,
but there was no public announcement of the advisory until it was announced
today on TWITTER®.
Siemens Update
This update
provides version information for the latest device to have an update available
to resolve the vulnerability. A link has also been made available for that
device. Only one device remains without an update.
The original vulnerability was
reported in April and updated
once in June. As with the June update, there has been no public announcement
of this update. Fortunately, Siemens CERT published a TWEET when they updated
their advisory earlier this week.
Philips Medical Advisory
This advisory describes
a large number of vulnerabilities in the Philips Xper-IM Connect system. The
vulnerabilities were reported by Mike Ahmadi of Synopsys and Billy Rios of
Whitescope LLC. A new software version is available and ICS-CERT reports that
an independent third-party organization has verified the efficacy of the fixes.
ICS-CERT reports that the vulnerabilities were identified on
a system running on Windows XP, Version 1.3.0.065. They identified 272
vulnerabilities associated with the Philips software and an additional 188
vulnerabilities from the unsupported Windows system.
ICS-CERT reported that a relatively low skilled attacker
could remotely exploit these vulnerabilities with publicly available exploits to
compromise the Xper-IM Connect system.
ICS-CERT has added a new recommendation to their standard
list of recommendations to protect medical control systems (and it would apply
to all control systems):
“Ensure that nonproduct-related
software packages, such as email and web browser software, are not installed on
medical devices, as they could contain vulnerabilities, malware, and broaden
the attack surface, which could impact the intended function of the device.”
Schneider SoMachine Advisory
This advisory
describes an ActiveX control vulnerability in the Schneider SoMachine software.
The vulnerability was reported by Andrea Micalizzi via ZDI. Schneider has
provided an update to mitigate the vulnerability. There is no indication that
Micalizzi was provided the opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit this vulnerability to remotely execute arbitrary code.
The Schneider security
notification was originally published on June 10th, 2016.
Moxa Advisory
This advisory
describes an authentication bypass vulnerability in the Moxa MGate products.
The vulnerability was reported by Maxim Rupp. Moxa has produced a new software
version that mitigates the vulnerability. There is no indication that Rupp has
been provided an opportunity to verify the efficacy of the fix.
ICS-CERT reports that relatively unskilled attacker could
remotely exploit the vulnerability to log in as a valid user.
Schneider Pelco Advisory
This advisory
describes a hard-coded credential vulnerability in the Schneider Pelco Digital
Sentry Video Management System. The vulnerability was self-identified by
Schneider.
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit this vulnerability to gain access to confidential information
or execute code on the affected system.
The Schneider security
notification was originally published on June 1st, 2016.
Posts
No comments:
Post a Comment