Today the DHS ICS-CERT published two control system security advisories for products from 3S – Smart Software Solutions and Siemens.
This advisory describes two vulnerabilities in the 3S CODESYS Web Server which is used by an undisclosed variety of equipment manufacturers. The vulnerability was reported by David Atch of CyberX. 3S has provided a patch that mitigates the vulnerability. ICS-CERT reports that Atch has tested the patch and apparently verifies the efficacy of the fix.
The two vulnerabilities are:
• Unrestricted upload of file with dangerous type - CVE-2017-6027; and
• Stack-based buffer overflow - CVE-2017-6025
ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerabilities to allow arbitrary files to be uploaded to the CODESYS Web Server without authorization. Additionally, an attacker may be able to crash the application or execute arbitrary code.
This advisory describes multiple vulnerabilities in the Siemens RUGGEDCOM VPN endpoints and firewall devices. Maxim Rupp reported four of the five vulnerabilities. Siemens has developed a mitigation tool [.PDF download] for these vulnerabilities. There is no indication that Rupp was provided an opportunity to verify the efficacy of the fix.
The vulnerabilities are:
• Improper authorization - CVE-2017-2686 and CVE-2017-2689;
• Cross-site request forgery - CVE-2017-2688
• Cross-site scripting - CVE-2017-2687 and CVE-2017-6864;
ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to perform actions with administrative privileges. The Siemens Security Advisory notes that network access is required to exploit three of the vulnerabilities while the other two require a social engineering attack.