Yesterday the DHS ICS-CERT published two control system
security advisories for products from Wago and Fidelix. It also published updates
for previously issued advisories for products from Moxa (2), iRZ, Resource Data
Management, Environmental Systems and Siemens.
Wago Advisory
This advisory
describes an authentication bypass vulnerability in the WAGO Ethernet Web-based
Management products. The vulnerability was reported by Maxim Rupp. WAGO has
produced a firmware update and workarounds to mitigate the vulnerability. There
is no indication that Rupp has been provided an opportunity to verify the
efficacy of the fix.
ICS-CERT reports that a relatively unskilled hacker could
remotely exploit this vulnerability to view and edit settings without
authenticating.
Fidelix Advisory
This advisory
describes a path traversal vulnerability in the Fidelix FX-20 series
controllers. The vulnerability was reported by Semen Rozhkov of Kaspersky Lab.
Fidelix has produced a new software version that mitigates the vulnerability.
There is no indication that Rozhkov has been provided an opportunity to verify
the efficacy of the fix.
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit this vulnerability to
read data from the device.
Moxa EDR-G903 Update
This update
provides additional information on an advisory that was originally
published on May 17th, 2016.
It changes the name of one of the vulnerabilities from ‘memory leak’ to ‘information
exposure’. On the unauthenticated download vulnerability, the CVE vector string
has a change in the ‘A’ component at the end from ‘H’ to ‘N’.
iRZ Update
This update
provides additional information on an advisory that was originally
published on May 17th, 2016. It changes the CVSS v3 base score
from 6.1 to 7.2 and changes two components of the CVE vector string; ‘UI’ from ‘R’
to ‘N’ and ‘C’ from ‘N’ to ‘H’.
Resource Data Management Update
This update
provides additional information on an advisory that was originally
published on May 19th, 2016. It changes the CVSS v3 base score
on the cross-site request forgery vulnerability from 6.5 to 8.0 and changes
three components of the CVE vector string for the same vulnerability; ‘UI’ from
‘N’ to ‘R’, ‘C’ from ‘N’ to ‘H’, and ‘I’ from ‘N’ to ‘H’.
Moxa MiiNePort Update
This update
provides additional information on an advisory that was originally
published on May 24th, 2016. It changes the CVSS v3 base score
on the cross-site request forgery vulnerability from 6.1 to 9.6 and changes
three components of the CVE vector string for the same vulnerability; ‘UI’ from
‘R’ to ‘N’, ‘C’ from ‘L’ to ‘H’, and ‘I’ from ‘N’ to ‘H’.
Environmental Systems Update
This update
provides additional information on an advisory that was originally
published on May 26th, 2016, and then updated
on June 2nd, 2016. It changes the CVSS v3 base score on the
authentication bypass vulnerability from 7.5 to 9.1.
Siemens Update
This update
provides additional information on an advisory that was originally
published on November 8th, 2016 and then updated
on November 22nd, 2016. It updates both the affected version and
mitigation information for SIMIT V9.0 SP1 and SecurityConfiguration Tool (SCT)
V4.3 HF1. Siemens has updated their security
advisory and reported this
update via a tweet on Wednesday.
Commentary
This cluster of incorrect CVE v3 base scores and vector
strings from May of this year is interesting. As of this date it does not
apparently affect all the advisories produced during that period and only affects
one of the reported vulnerabilities in multiple vulnerability advisories. This
would seem to indicate that it was not a systemic problem, but rather human
error. While we would like to think that the folks at ICS-CERT were perfect,
alas they are only human.
I am impressed with the four updates addressing these CVE
related errors. I’m not sure what instigated the review of these advisories,
but their publication does demonstrate a high level of integrity and attention
to detail. ICS-CERT is to be commended on publishing them.
Posts
No comments:
Post a Comment