ICS-CERT Publishes 3 Advisories and 3 Updates

Today the DHS ICS-CERT published three control system security advisories for products from Siemens, Geutebrück and Advantech. They also updated three control system security advisories for products from Siemens and Rockwell.

Siemens Advisory

This advisory describes an authentication bypass vulnerability in the Siemens SIMATIC Logon application. This vulnerability is being self-reported by Siemens. Siemens has produced an updated version of the application to mitigate the vulnerability.

ICS-CERT reports that an relatively low skilled attacker could remotely exploit this vulnerability to circumvent user authentication under certain conditions.

Geutebrück Advisory

This advisory describes two vulnerabilities in the Geutebrück G-Cam IP camera. The vulnerabilities were reported by Davy Douhine of RandoriSec, Florent Montel and Frédéric Cikala. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Authentication bypass using an alternative path or channel - CVE-2017-5174;

• Improper neutralization of special elements used in an OS command - CVE-2017-5173

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to bypass authentication and obtain remote anonymous access to the device; these vulnerabilities may allow remote code execution.

Advantech Advisory

This advisory describes a DLL hijacking vulnerability in the Advantech WebAccess application. The vulnerability was reported by Li MingZheng Kuangn. Advantech has produced a new version to mitigate the vulnerability. There is no indication that the researcher has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could exploit the vulnerability o execute arbitrary code within the system. ICS-CERT does not mention what type access is required or comment on the need for an social engineering attack.

Siemens APOGEE Update

This update provides additional information about an advisory originally published on March 22^nd, 2016. The update includes:

• A correction of the name of one of the reporting institutions;

• Additional information about the affected versions; and

• Reports a new version that mitigates the vulnerability.

Siemens Industrial Produces Update

This update provides additional information about an advisory originally published on November 8^th, 2016 and then updated on November 22^nd, 2016 and updated again on December 22^nd. The update includes:

• Updated ‘version affected’ information on SIMATIC IT Production Suite;

• Provided mitigation information for SIMATIC IT Production Suite; and

• Removed SIMATIC IT Production Suite from the temporary fix list.

Rockwell Update

This update provides additional information about an advisory originally published on January 5^th, 2017. The update includes:

• Adds PowerFlex 700S drives to the list of affected devices;

• Adds DriveLogix 5730 controller option explanation; and

• Explains that the PowerFlex 700S is not covered by the new firmware version mitigation.