Today the DHS ICS-CERT published three control system security advisories for products from Siemens, Schneider Electric, and Eaton. The updated two previously published advisories for products from Siemens and AMX. They also published the latest version of the ICS-CERT Monitor (not reviewed here).
This advisory describes a man-in-the-middle vulnerability in the Siemens SINUMERIK Integrate and SINUMERIK Operate products. This is apparently a self-reported vulnerability. Siemens has provided new versions that mitigate the reported vulnerability.
ICS-CERT reports that the vulnerability is remotely exploitable (with no comment on the difficulty). A successful exploit could allow attackers in a privileged network position to capture and modify network traffic protected with transport layer security. The Siemens advisory notes that clients are only affected if HTTPs is used.
This advisory describes a resource exhaustion vulnerability in the Schneider Conext ComBox. The vulnerability was reported by Arik Kublanov and Mark Liapustin of Nation-E Ltd. Schneider has released a firmware update to mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to cause the device to self-reboot, constituting a denial of service. The Schneider advisory notes that making a HTTP GET request 3 times without delay between requests with a wrong username and password causes the device to make a self-reboot.
This advisory describes an improper access control vulnerability in the Eaton xComfort Ethernet Communication Interface. The vulnerability was reported by Maxim Rupp. Eaton has released a new version that mitigates the vulnerability. There is no indication that Rupp has been provided an opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to access backup files and system logs without authenticating.
This update provides new information on an advisory that was originally published on November 8th, 2016 and then updated on November 22nd, 2016, updated again on December 22nd, 2016 and again on February 14th, 2017. The new information includes:
• Updated ‘version affected’ information on SIMATIC WinCC V7.2 and STEP 7 V5.X;
• Provided mitigation information for SIMATIC WinCC V7.2 and STEP 7 V5.X; and
• Removed SIMATIC WinCC V7.2 and STEP 7 V5.X from the temporary fix list.
This update provides new information on an advisory that was originally published on February 14th, 2016. The new information includes:
• Announcing that updates are now available for affected versions; and
• Removes interim mitigation suggestions.