Today the DHS ICS-CERT published a new control system security advisory and updated another; both of those were for products from Siemens.
This advisory describes two vulnerabilities in the Siemens RUGGEDCOM NMS monitoring products. It appears that these vulnerabilities are self-reported by Siemens. Siemens has produced a new version that mitigates the vulnerabilities.
The two vulnerabilities are:
• Cross-site request forgery - CVE-2017-2682; and
• Cross-site scripting - CVE-2017-2683
ICS-CERT reports that a relatively low skilled attacker could remotely export these vulnerabilities to perform administrative operations under certain conditions.
This update address changes to an advisory that was originally published on April 12th, 2016. The new information includes:
• Updated version information for SCALANCE X200 IRT family; and
• Provides link to a new version for SCALANCE X200 IRT family.