Yesterday the DHS ICS-CERT published a new control system
security advisory for products from Siemens. Two recently published Siemens
updates have yet to be reported by ICS-CERT
Siemens SCALANCE Advisory
This advisory
describes a web security vulnerability in the Siemens SCALANCE M-800 and S615
modules. The vulnerability was reported by Alexander Van Maele and Tijl Deneut
from HOWEST (University College West Flanders). Siemens has produced a new
firmware version, but there is no indication that the researchers were provided
an opportunity to verify the efficacy of the fix.
ICS-CERT reports that the vulnerability is remotely
exploitable, but that it would be difficult to develop an exploit that could
allow an attacker in a privileged network position to obtain web session
cookies under certain circumstances. The Siemens
Security Advisory explains that an attacker would have to be in a privileged
network position to obtain web session cookies under certain circumstances.
This vulnerability was publicly
reported by Siemens last Thursday.
Recent Siemens Updates
Last week on the same day that Siemens announced their
update for the vulnerabilities described above they also announced
an update for their glibc vulnerability that
ICS-CERT reported
on in July. I had expected to see the ICS-CERT update their advisory yesterday.
Yesterday Siemens announced
an additional update on multiple
vulnerabilities in their SIMATIC WinCC, PCS 7 and WinCC Runtime
Professional products. ICS-CERT initially
reported on these vulnerabilities in April and updated the report in
June and again in July.
With this only being publicly reported by Siemens yesterday, it was probably
too much to expect that ICS-CERT would also be updating their advisory on the
same day.
Hopefully we will be seeing ICS-CERT updating these two
advisories in the coming days.
Posts
No comments:
Post a Comment