ICS-CERT Publishes Two Advisories

On Monday and Tuesday, the DHS ICS-CERT published two advisories. The first is a medical system security advisory for a product from St. Jude Medical. The second is a control system advisory for products from OSIsoft. ICS-CERT also published a call for papers for the Spring 2017 ICSJWG meeting in Minneapolis, Minnesota.

St. Jude Advisory  

This advisory describes a ‘man-in-the-middle’ vulnerability in the St. Jude Medical Merlin@home transmitter. This vulnerability was reported by Med Sec Holdings (apparently the ‘MuddyWaters’ vulnerability?). St. Jude’s has produced a new software version to mitigate the vulnerability. ICS-CERT reports that an undisclosed third-party has verified the efficacy of the fix. The FDA has released a Safety Communication on the vulnerability.

ICS-CERT reports that a highly skilled attacker could remotely exploit this vulnerability to access or influence communications between Merlin.net and transmitter endpoints.

OSIsoft Advisory

This advisory describes an information exposure through server log files vulnerability in the OSIsoft PI Coresight and PI Web API products. OSIsoft reports that a customer (Vint Maggs from Savannah River Nuclear Solutions) identified the vulnerability (not mentioned in ICS-CERT Advisory). OSIsoft has reported workarounds to mitigate the vulnerability while it works on a software update.

ICS-CERT reports that anyone with access to the server file system could exploit this vulnerability. A successful exploit could lead to unauthorized shutdown of the affected PI services as well as potential reuse of domain credentials.

OSIsoft notes that the vulnerability exists only when the system is not installed using the installation defaults.

ICSJWG Spring Meeting

Yesterday ICS-CERT announced via a Tweet® that registration was open and a call for papers had been issued for the Spring 2017 ICSJWG meeting. Unfortunately, the tweet did not provide any links to the information and there is nothing yet listed on the ICS-CERT landing page about the meeting. The meeting web site is up with all of the requisite information.

The meeting will be held on April 11^th – 13^th, in Minneapolis, MN. Abstracts need to be submitted by February 10^th, and advance registration closes April 6^th.