Today the DHS ICS-CERT published four control system
security advisories for three products from Siemens and one from Rockwell. The
Rockwell advisory was originally posted to the NCCIC Portal on April 4, 2017.
They also updated two previously issued advisories for products from Siemens.
Rockwell Advisory
This advisory
describes multiple vulnerabilities in the Rockwell Automation Stratix 5900
services router. The vulnerabilities were reported by Cisco in Cisco software
products used in the Rockwell Stratix 5900; some of these vulnerabilities have
been previously reported. Rockwell has produced a new firmware version to
mitigate these vulnerabilities.
The reported vulnerabilities include (take a deep breath):
• Improper input validation - CVE-2016-6380,
CVE-2016-1409, CVE-2015-0642, CVE-2015-0643, CVE-2014-3361, CVE-2014-2113, and CVE-2014-2106;
• Resource management errors - CVE-2016-6393,
CVE-2016-6384, CVE-2016-6381, CVE-2016-6382, CVE-2016-1350, CVE-2016-1344, CVE-2015-0646,
CVE-2014-3359, CVE-2014-3355, CVE-2014-3356, CVE-2014-3354, CVE-2014-3299, CVE-2014-2108,
and CVE-2014-2112;
• Information exposure - CVE-2016-6415;
• Multiple network time protocol
daemon vulnerabilities (October 2015) - CVE-2015-7691, CVE-2015-7692,
CVE-2015-7701, CVE-2015-7702, CVE-2015-7703, CVE-2015-7704, CVE-2015-7705,
CVE-2015-7848, CVE-2015-7849, CVE-2015-7850, CVE-2015-7851, CVE-2015-7852,
CVE-2015-7853, CVE-2015-7854, CVE-2015-7855, and CVE-2015-7871;
• Improper authentication - CVE-2015-1798,
and CVE-2015-1799;
• Multiple OpenSSL vulnerabilities
(March 2015) - CVE-2015-0207, CVE-2015-0209, CVE-2015-0285, CVE-2015-0287,
CVE-2015-0288, CVE-2015-0289, CVE-2015-0290, CVE-2015-0291, CVE-2015-0292, CVE-2015-0293,
and CVE-2015-1787;
• Cryptographic issues - CVE-2014-3566;
• Numeric issues - CVE-2014-3360;
• Multiple OpenSSL vulnerabilities
- CVE-2010-5298, CVE-2014-0076, CVE-2014-0195, CVE-2014-0198, CVE-2014-0221,
CVE-2014-0224, and CVE-2014-3470; and
• Network Address Translation Vulnerabilities - CVE-2014-2109
and CVE-2014-2111;
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit these vulnerabilities to perform man-in-the-middle attacks,
create denial of service conditions, or remotely execute arbitrary code. With
some of these previously identified vulnerabilities up to 7 years old, I would
bet that there are some publicly available exploits, but that was not mentioned
in this advisory.
(SARCASM WARNING) I am glad that no other vendor uses any of
these Cisco products.
Siemens SIMATIC Advisory
This advisory
describes a denial of service vulnerability in the Siemens SIMATIC WinCC and
SIMATIC WinCC Runtime Professional products. The vulnerability was reported by Sergey
Temnikov and Vladimir Dashchenko of the Kaspersky Lab Critical Infrastructure
Defense Team. Siemens has developed updates for the affected products to
mitigate the vulnerability. There is no indication that the researchers have
been afforded an opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit the vulnerability to cause the affected service to crash,
resulting in a denial-of-service condition. The Siemens
Security Advisory reports that the attacker must be member of the group
administrators and have network access to an affected system.
Siemens PROFINET Advisory 1
This advisory
describes two input validation vulnerabilities in Siemens devices using the PROFINET
Discovery and Configuration Protocol (DCP). The vulnerability was reported by Duan
JinTong, Ma ShaoShuai, and Cheng Lei from NSFOCUS Security Team. Siemens has
produced firmware updates to mitigate the vulnerability. There is no indication
that the researchers have been provided an opportunity to verify the efficacy
of the fix.
ICS-CERT reports that a relatively low skilled attacker with
network access to the local Ethernet segment (Layer 2) could exploit the vulnerabilities
to cause the targeted device to enter a denial-of-service condition, which may
require human interaction to recover the system.
The Siemens
Security Advisory reports that CNCERT/CC coordinated the disclosure of this
vulnerability.
Siemens PROFINET Advisory 2
This advisory
describes an improper input validation vulnerability in Siemens devices using using
the PROFINET Discovery and Configuration Protocol (DCP). The vulnerability was
reported by Duan JinTong, Ma ShaoShuai, and Cheng Lei from NSFOCUS Security
Team. Siemens has produced updates that mitigate the vulnerability. There is no
indication that the researchers have been afforded an opportunity to verify the
efficacy of the fix.
ICS-CERT reports that a relatively unskilled attacker with
access to an adjacent network could exploit the vulnerability to cause a
denial-of-service condition requiring a manual restart by exploiting this
vulnerability.
The Siemens Security Advisory reports that:
“On a single host the affected
component is shared among the affected products. Installing one fixed version
will mitigate the vulnerability for all Siemens applications installed on the single
host.”
Siemens Industrial Products Update
This update
provides new information on an advisory that was originally
issued on November 8, 2016 and then updated November
22nd, 2016; December
23rd, 2016; February
14th, 2017; and March
2nd, 2017. The new information includes:
• Updated version information for SIMATIC
WinCC V7.4, SIMATIC WinCC Runtime Professional, SIMATIC WinCC (TIA Portal)
Professional, and SIMATIC STEP 7 (TIA Portal) V13;
• Adds mitigation information for
the above products; and
• Removes the above products from
the ‘temporary fix’ list.
The Siemens
Security Advisory was also updated.
Siemens S7-300/400 PLC Update
This update
provides new information on an advisory that was originally
issued on December 13, 2016. The new information includes:
• Adding Profibus as an access
route for the inadequate encryption strength vulnerability; and
• Adds links for firmware updates
for S7-300 CPUs;
The Siemens
Security Advisory was also updated.
Posts
No comments:
Post a Comment