Yesterday the DHS ICS-CERT published two control system
security advisories for products from Schneider Electric and Wecon Technologies.
Schneider Advisory
This advisory
describes two vulnerabilities in the Schneider Modicon M221 PLCs and SoMachine
Basic. The vulnerabilities were reported by Simon Heming, Maik Brüggemann,
Hendrik Schwartke, and Ralf Spenneberg of Open Source Security. Schneider has
announced an encryption work around and that they will introduce a new version
of SoMachine Basic in June.
The two reported vulnerabilities are:
• Use of Hard-Coded Cryptographic
Key – CVE-2017-7574; and
• Protection Mechanism Failure – CVE-2017-7575
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit these vulnerabilities using a publicly available exploit
to extract a protected project file from the controller to obtain sensitive
project information, or allow a user with access to a protected project file to
decrypt it in order to obtain sensitive information without authorization.
Interestingly, the Schneider security
notification only addresses the vulnerability in their SoMachine Basic;
ignoring the vulnerability in their Modicon M221 PLCs. Could that vulnerability
be a ‘design feature’?
NOTE: These are the vulnerabilities that I
reported on last weekend. OpenSource published the vulnerabilities on their
web site (here
and here) a week
ago last Tuesday.
Wecon Advisory
This advisory
describes two buffer overflow vulnerabilities in the Wecon LEVI Studio HMI
Editor. The vulnerabilities were reported by Andrea (rgod) Micalizzi, working
with iDefense Labs. Wecon has developed a new version that mitigates the
vulnerabilities. There is no indication that rgod has been provided an
opportunity to verify the efficacy of the fix.
The two reported vulnerabilities are:
• Heap-based buffer overflow – CVE-2017-6037;
and
• Stack-based buffer overflow – CVE-2017-6035
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit these vulnerabilities to cause the device to become unresponsive;
a buffer overflow condition may allow remote code execution.
Posts
No comments:
Post a Comment