Today the DHS ICS-CERT published updates for control system advisories from Honeywell and Siemens. They also published two new control system advisories and a medical control system advisory.
This update explains that additional Honeywell processes in the same applications are affected by the same vulnerability and mentions the researchers that reported the vulnerability in those processes. It also provides version numbers for the affected applications. The update also identifies the .DLL file that contains the source of the vulnerability and reports that a replacement .DLL file has been made available for all affected devices.
The original vulnerability was reported in April. This update was actually published on July 12th, but there was no public announcement of the advisory until it was announced today on TWITTER®.
This update provides version information for the latest device to have an update available to resolve the vulnerability. A link has also been made available for that device. Only one device remains without an update.
The original vulnerability was reported in April and updated once in June. As with the June update, there has been no public announcement of this update. Fortunately, Siemens CERT published a TWEET when they updated their advisory earlier this week.
Philips Medical Advisory
This advisory describes a large number of vulnerabilities in the Philips Xper-IM Connect system. The vulnerabilities were reported by Mike Ahmadi of Synopsys and Billy Rios of Whitescope LLC. A new software version is available and ICS-CERT reports that an independent third-party organization has verified the efficacy of the fixes.
ICS-CERT reports that the vulnerabilities were identified on a system running on Windows XP, Version 1.3.0.065. They identified 272 vulnerabilities associated with the Philips software and an additional 188 vulnerabilities from the unsupported Windows system.
ICS-CERT reported that a relatively low skilled attacker could remotely exploit these vulnerabilities with publicly available exploits to compromise the Xper-IM Connect system.
ICS-CERT has added a new recommendation to their standard list of recommendations to protect medical control systems (and it would apply to all control systems):
“Ensure that nonproduct-related software packages, such as email and web browser software, are not installed on medical devices, as they could contain vulnerabilities, malware, and broaden the attack surface, which could impact the intended function of the device.”
Schneider SoMachine Advisory
This advisory describes an ActiveX control vulnerability in the Schneider SoMachine software. The vulnerability was reported by Andrea Micalizzi via ZDI. Schneider has provided an update to mitigate the vulnerability. There is no indication that Micalizzi was provided the opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to remotely execute arbitrary code.
The Schneider security notification was originally published on June 10th, 2016.
This advisory describes an authentication bypass vulnerability in the Moxa MGate products. The vulnerability was reported by Maxim Rupp. Moxa has produced a new software version that mitigates the vulnerability. There is no indication that Rupp has been provided an opportunity to verify the efficacy of the fix.
ICS-CERT reports that relatively unskilled attacker could remotely exploit the vulnerability to log in as a valid user.
Schneider Pelco Advisory
This advisory describes a hard-coded credential vulnerability in the Schneider Pelco Digital Sentry Video Management System. The vulnerability was self-identified by Schneider.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to gain access to confidential information or execute code on the affected system.
The Schneider security notification was originally published on June 1st, 2016.