Wednesday, December 14, 2016

ICS-CERT Publishes 5 Advisories and Strategy Document

Yesterday the DHS ICS-CERT published five control system security advisories for products from Siemens (2), Delta Electronics, Moxa, and Visonic. Additionally is published information about a new US – Canada agreement on a strategy for protecting the electric grid from both man-made and natural events.

Siemens S7 Advisory


This advisory describes two advisories in the Siemens S7-300 and S7-400 programmable logic controllers. The vulnerabilities were reported by Zhu WenZhe from Beijing Acorn Network Technology. Siemens has published interim mitigation guidance pending the production of an actual fix for the vulnerabilities.

The reported vulnerabilities are:

• Inadequate encryption strength - CVE-2016-9159; and
• Protection mechanism failure - CVE-2016-9158

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to effect a denial-of-service condition or credential disclosure. Siemens notes that an attacker would have to have network access to the device.

NOTE: Siemens announced this vulnerability in a tweet last Friday.

Siemens SIMATIC Advisory


This advisory describes an ActiveX vulnerability in the Siemens SIMATIC WinCC and SIMATIC PCS 7. The vulnerability was reported by Mingzheng Li from Acorn Network Security Lab. Siemens has produced a new version to mitigate the vulnerability. There is no indication that Li has been provided an opportunity to verify the fix.

ICS-CERT reports that this vulnerability requires a social engineering attack and is thus not remotely exploitable. The Siemens security advisory simply notes that an attacker must have control of a web site “that is allowed to execute ActiveX components”. A successful attack could allow an attacker to crash the component or leak application memory content.

NOTE: Siemens announced this vulnerability in a tweet last Friday.

Delta Electronics Advisory


This advisory describes two vulnerabilities in the Delta Electronics WPLSoft, ISPSoft, and PMSoft software applications. The vulnerabilities were separately reported by axt and Ariele Caltabiano via the Zero Day Initiative. Delta Electronics has produced new software versions to mitigate these vulnerabilities. There is no indication that either researcher was provided an opportunity to verify the efficacy of the fix.

The reported vulnerabilities are:

• Heap-based buffer overflow - CVE-2016-5805; and
• Out-of-bounds write - CVE-2016-5802

ICS-CERT reports that a social engineering attack is required to exploit these vulnerabilities. A successful exploit could allow an attacker to execute arbitrary code.

Moxa Advisory


This advisory describes two vulnerabilities in the Moxa DACenter application. The vulnerabilities were reported by Zhou Yu. Moxa has produced a patch to mitigate the vulnerabilities. ICS-CERT reports that Yu has verified the efficacy of the fix.

The reported vulnerabilities are:

• Resource exhaustion - CVE-2016-9354; and
• Unquoted search path - CVE-2016-9356

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to effect a denial of service attack or allow an authorized but nonprivileged local user to execute arbitrary code with privileges on the system.

Visonic Advisory


This advisory describes two vulnerabilities in the Visonic PowerLink2 module. The vulnerabilities were reported by Aditya K. Sood. Visonic has produced an updated version to mitigate the vulnerabilities. There is no indication that Sood has been provided an opportunity to verify the efficacy of the fix.

The reported vulnerabilities are:

• Information exposure - CVE-2016-5813; and
• Cross-site scripting - CVE-2016-5811

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerabilities to download images from the server.

Electric Grid Security Strategy  

ICS-CERT published a fact sheet about and a link to a new US-Canada electric grid security strategy document. The strategy focuses on three goals:

• Protect today’s electric grid and enhance preparedness;
• Manage contingencies and enhance response and recovery efforts; and
• Build a more secure and resilient future electric grid.

As one would expect, the actual strategy document is a high-level political document with very little technical information. It is important, however, in that it reflects the reality of the fact that the electric grid of these two countries is interconnected and that adequate protection of that interconnected grid is going to take coordinated efforts from both parties.


As in any strategy, the tactics used to implement that strategy may be as important as the strategy itself.  It will be interesting to see if any similar tactical documents are publicly released.

No comments:

 
/* Use this with templates/template-twocol.html */