ICS-CERT Publishes 5 Advisories

Yesterday ICS-CERT published five new control system security advisories for products from Siemens, Moxa, Advantech, Mitsubishi Electric, Smiths-Medical. They also published an update for an earlier Siemens product advisory.

Smiths-Medical Advisory 

This advisory describes two vulnerabilities in the Smiths-Medical CADD-Solis Medication Safety Software. The vulnerabilities were reported by Andrew Gothard of Newcastle Upon Tyne Hospitals NHS Foundations Trust. Smiths-Medical has produced new versions of the software and ICS-CERT reports that an independent investigator has verified the efficacy of the fix.

The reported vulnerabilities are:

• Incorrect permission assignment for critical resource - CVE-2016-8355; and

• Man-in-the-middle - CVE-2016-8358

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to add users, delete users, and to modify permissions, as well as modify drug libraries.

Advantech Advisory

This advisory describes multiple vulnerabilities in the Advantech SUSIAccess Server. The vulnerabilities were reported by rgod via the Zero Day Initiative. Advantech no longer supports SUSIAccess and recommends the purchase of new software to mitigate these vulnerabilities. There is no indication that rgod has been provided an opportunity to verify the efficacy of the fix.

The reported vulnerabilities are:

• Information exposure - CVE-2016-9349;

• Path traversal - CVE-2016-9351; and

• Permission, privileges and access control - CVE-2016-9353

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to manipulate files or conduct arbitrary code execution.

Mitsubishi Electric Advisory

This advisory describes two vulnerabilities in the Mitsubishi Electric MELSEC-Q series Ethernet interface modules. The vulnerabilities were reported by Vladimir Dashchenko of Critical Infrastructure Defense Team, Kaspersky Lab. Mitsubishi Electric has produced a new version that provides a mitigating control (IP filtering) for one of the vulnerabilities (the cryptographic vulnerability will not be addressed). ICS-CERT reports that there are publicly available exploits for these vulnerabilities.

The reported vulnerabilities are:

• Use of a broken or risky cryptographic algorithm - CVE-2016-8370; and

• Unrestricted externally available lock - CVE-2016-8368

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to intercept weakly encrypted passwords and conduct a denial of service attack.

ICS-CERT has added two new recommended practices to this advisory that I do not recall having seen before:

• Implementing IPsec can be used to encrypt communication pathways.

• Asset owners may wish to consider implementing a Bump-in-the-Wire (BitW) solution to improve security.

Moxa Advisory

This advisory describes multiple vulnerabilities in the Moxa NPort serial device servers. The vulnerabilities were reported by Reid Wightman of RevICS Security, Mikael Vingaard, and Maxim Rupp. At least some of the vulnerabilities were reported in an earlier ICS-CERT alert based upon a Digital BondLabs report [link updated 21:54, 2-18-17]. Moxa has produced new firmware versions to mitigate the vulnerabilities in all but one of the devices (no longer supported). There is no indication that any of the researchers have been provided an opportunity to verify the efficacy of the fix.

The reported vulnerabilities are:

• Credential management - CVE-2016-9361;

• Permissions, privileges and access control - CVE-2016-9369;

• Classic buffer overflow - CVE-2016-9363;

• Cross-site scripting - CVE-2016-9371;

• Cross-site request forgery - CVE-2016-9365;

• Improper restriction of excessive authentication attempts - CVE-2016-9366;

• Plain text storage of a password - CVE-2016-9348; and

• Resource exhaustion - CVE-2016-9367

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to allow “the complete compromise of an affected system”.

Siemens Advisory

This advisory describes multiple vulnerabilities in the Siemens SICAM PAS. The vulnerabilities were reported by Ilya Karpov and Dmitry Sklyarov of Positive Technologies and Sergey Temnkikov and Vladimir Dashchenko of Kaspersky Lab. Siemens has produced an update to mitigate some of the vulnerabilities; additional future patches are expected. There is no indication that any of the researchers has been provided an opportunity to verify the efficacy of the fix.

The reported vulnerabilities are:

• Use of hard-coded credentials - CVE-2016-8567;

• Storing passwords in a recoverable format - CVE-2016-8566;

• Files or directories accessible to external partied - CVE-2016-9156; and

• Weaknesses that effect memory - CVE-2016-9157

Siemens reports in their security advisory that the first vulnerabilities do not exist in the latest version of SICAM PAS. They also provide mitigating controls for the other two vulnerabilities pending development of further updates.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to cause a denial-of-service condition or remotely exploit arbitrary code.

BTW: This is the advisory that I briefly mentioned on Tuesday.

Siemens Update

This update provides updated affected version information and information on a new version that reportedly mitigates the vulnerability. The original version of this advisory was published last June.

This is the update that I mentioned briefly on Tuesday. It appears that ICS-CERT did provide an earlier version of this update on Tuesday, but it is not clear what that update may have addressed since it is no longer available on the ICS-CERT website and I missed its publication. There was not an intermediate update from Siemens between their original version and the latest one that provides the information in this update.