The DHS ICS-CERT recently updated two control system security advisories for products from Siemens (the two I briefly discussed last week). Yesterday they also published two new control system security advisories for products from Indas and Beckhoff.
Siemens SIMATIC Update
This update adds new information for an advisory originally published in July and then updated in August. It provides updated affected version information for SIMATIC WinCC v7.0 SP3 and SIMATICS PCS 7 v8.0. It also provides update links for SIMATIC WinCC v7.0 and SIMATICS PCS 7 v7.2 and v8.0.
Siemens glibc Update
This update adds new information for an advisory that was reported in April and updated once in June and then again in July. It provides updated affected version information for SCALANCE M-800/S615. It also provides a link for a patche for those affected SCALANCE M-800/S615 products.
This advisory describes a path traversal vulnerability in the INDAS Web SCADA application. The vulnerability was reported by Ehab Hussein of IOActive. INDAS has produced a new version of the software to mitigate the vulnerability, but there is no indication that Hussein has been provided an opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to download arbitrary files from the target system.
This advisory describes two vulnerabilities in the Beckhoff Embedded PC Images and TwinCAT Components. The vulnerabilities were publicly reported in February of 2015 at the 1st International Conference on Information Systems Security and Privacy by Marko Schuba from FH Aachen University of Applied Sciences (there may be an earlier report). In 2014 Beckhoff produced a new version of the software and published three security advisories (here, here, and here) to mitigate the vulnerabilities, but there is no indication that Schuba has been provided an opportunity to verify the efficacy of the fixes.
The vulnerabilities described in the advisory are:
• Improper restriction of excessive authentication attempts - CVE-2014-5414; and
• Exposed dangerous method of function - CVE-2014-5415
ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to gain unauthorized access to systems or read and manipulate transmitted information, especially passwords. Interestingly ICS-CERT does not apparently consider the formal academic paper on these vulnerabilities to be a public exploit that “specifically target these vulnerabilities”.