Yesterday the DHS ICS-CERT published three control system security advisories for products from OSIsoft, Siemens and Phoenix Contact. Earlier this week they also published the September – October 2016 Monitor.
The latest issue of the ICS-CERT Monitor reports on activities of the DHS ICS-CERT for September and October of 2016. No real valuable information in this issue of the Monitor with ICS-CERT returning to the glossy corporate quarterly report format for this issue. The main articles include:
• ICS-CERT Vulnerability Coordination;
• Cybersecurity Crawl, Walk, Run;
• DHS Moving US-CERT Portal to HSIN, Rebranding as NCCIC Portal;
• ICSJWG Fall 2016 Meeting Recap;
• ICS-CERT Hosts Regional Training in Lisbon, Portugal;
• ICS-CERT Releases Defense-in-Depth and Annual Vulnerability Coordination Reports; and
• What is a CSET Assessment?
The advisory describes an incomplete model of endpoint features vulnerability in the OSIsoft PI System software. This is apparently a self-reported vulnerability. OSIsoft has produced a new version that mitigates the vulnerability.
ICS-CERT reports that a relatively unskilled attacker with local access could effect a DOS attack to cause a shutdown of the PI Data Archive or connected applications. The OSIsoft Security Update, on the other hand reports that an exploit of the session management issue could “result in remote shutdown of the PI Data Archive or connected applications”.
The advisory describes a privilege escalation vulnerability that affects several of industrial products from Siemens (18 products listed in advisory). The vulnerability was reported by WATERSURE and KIANDRA IT. Siemens has produced updates for six of the products and temporary fixes for the remaining products pending the production of new updates.
ICS-CERT reports that it would be difficult to effect a working exploit of the vulnerability and would require local authenticated access to the product. Interestingly the Siemens Security Advisory notes that:
“If the affected products are installed under their default path (“C:\Program Files\*” or the localized equivalent) and the default file system access permissions for drive C:\ were not modified, the security vulnerability is not exploitable.”
Phoenix Contact Advisory
The advisory describes multiple authentication vulnerabilities in the Phoenix Contact ILC (inline controller) PLCs. The vulnerabilities were reported by Matthias Niedermaier and Michael Kapfer of HSASec Hochschule Augsburg. Phoenix Contact has produced an update and recommended security practices to mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.
The vulnerabilities include:
• Cleartext storage of sensitive information - CVE-2016-8366;
• Authentication bypass issues - CVE-2016-8371; and
• Access to critical private variable via public method - CVE-2016-8380.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to access human-machine interface (HMI) pages and to modify programmable logic controller (PLC) variables. ICS-CERT explains that the new version only corrects the plaintext password storage issue.