Yesterday the DHS ICS-CERT published three control system
security advisories for products from OSIsoft, Siemens and Phoenix Contact.
Earlier this week they also published the September – October 2016 Monitor.
ICS-CERT Monitor
The latest issue of the ICS-CERT
Monitor reports on activities of the DHS ICS-CERT for September and October
of 2016. No real valuable information in this issue of the Monitor with
ICS-CERT returning to the glossy corporate quarterly report format for this
issue. The main articles include:
• ICS-CERT Vulnerability
Coordination;
• Cybersecurity Crawl, Walk, Run;
• DHS Moving US-CERT Portal to
HSIN, Rebranding as NCCIC Portal;
• ICSJWG Fall 2016 Meeting Recap;
• ICS-CERT Hosts Regional Training
in Lisbon, Portugal;
• ICS-CERT Releases Defense-in-Depth
and Annual Vulnerability Coordination Reports; and
• What is a CSET Assessment?
OSIsoft Advisory
The advisory
describes an incomplete model of endpoint features vulnerability in the OSIsoft
PI System software. This is apparently a self-reported vulnerability. OSIsoft
has produced a new version that mitigates the vulnerability.
ICS-CERT reports that a relatively unskilled attacker with
local access could effect a DOS attack to cause a shutdown of the PI Data
Archive or connected applications. The OSIsoft Security
Update, on the other hand reports that an exploit of the session management
issue could “result in remote shutdown of the PI Data Archive or connected
applications”.
Siemens Advisory
The advisory
describes a privilege escalation vulnerability that affects several of
industrial products from Siemens (18 products listed in advisory). The
vulnerability was reported by WATERSURE and KIANDRA IT. Siemens has produced
updates for six of the products and temporary fixes for the remaining products
pending the production of new updates.
ICS-CERT reports that it would be difficult to effect a
working exploit of the vulnerability and would require local authenticated
access to the product. Interestingly the Siemens
Security Advisory notes that:
“If the affected products are
installed under their default path (“C:\Program Files\*” or the localized
equivalent) and the default file system access permissions for drive C:\ were
not modified, the security vulnerability is not exploitable.”
Phoenix Contact Advisory
The advisory
describes multiple authentication vulnerabilities in the Phoenix Contact ILC
(inline controller) PLCs. The vulnerabilities were reported by Matthias
Niedermaier and Michael Kapfer of HSASec Hochschule Augsburg. Phoenix Contact
has produced an update and recommended security practices to mitigate the
vulnerability. There is no indication that the researchers have been provided
an opportunity to verify the efficacy of the fix.
The vulnerabilities include:
• Cleartext storage of sensitive
information - CVE-2016-8366;
• Authentication bypass issues - CVE-2016-8371;
and
• Access to critical private
variable via public method - CVE-2016-8380.
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit the vulnerability to access human-machine interface (HMI)
pages and to modify programmable logic controller (PLC) variables. ICS-CERT
explains that the new version only corrects the plaintext password storage
issue.
Posts
No comments:
Post a Comment