Yesterday the DHS ICS-CERT updated their earlier alert on
the WannaCry ransomware. They also published four control system security
advisories for products from Schneider Electric (2), Hanwha Techwin, and
Detcon.
WannaCry Update
This update
provides additional information on the alert that was issued yesterday. The new
information includes:
Siemens makes an important point about medical device
cybersecurity:
“We would like to point out that
neither the use of an email client nor browsing the internet is part of the
intended use of most of the product types covered by this Siemens Security Bulletin.”
The ABB document does mention restricting SMB protocol use
but stops short of recommending disabling the protocol as
suggested by Microsoft. They do note:
“This will help to prevent
spreading of the WannaCry malware from individual compromised computers. For
specific guidance please see additional communication for specific ABB
solutions and contact your local ABB service organization.”
NOTE: The US-CERT also updated their alert for this
malware.
Schneider VAMPSET Advisory
This advisory
describes an improper input validation vulnerability in the Schneider VAMPSET
tool. The vulnerability was reported by Kushal Arvind Shah from Fortinet's
Fortiguard Labs. Schneider has produced a new firmware version to mitigate the
vulnerability. There is no indication that Shah has been provided an
opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively unskilled attacker with
local access could exploit the vulnerability to cause the software to enter a
denial-of-service condition. The Schneider
Security Notification reports that vulnerability has no effect on the
operation of the protection relay to
which VAMPSET is connected.
Techwin Advisory
This advisory
describes an improper access control vulnerability in the Hanwha Techwin SRN-4000
network video management platform. The vulnerability was reported by Can
Demirel and Faruk Unal of Biznet Bilisim. Techwin reports that a newer version
mitigates the vulnerability. ICS-CERT reports that the researchers have
verified the efficacy of the fix.
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit the vulnerability to allow the attacker remote access to the
web management portal with admin privileges without authentication.
Schneider SoMachine Advisory
This advisory
describes two vulnerabilities in the Schneider SoMachine HVAC software. The
vulnerabilities were separately reported by Zhou YU and Himanshu Mehta.
Schneider reports that a newer version mitigates the vulnerability. There is no
indication that either researcher has been provided the opportunity to verify
the efficacy of the fix.
The two reported vulnerabilities are:
• Stack-based buffer overflow - CVE-2017-7965;
and
• Uncontrolled search path element
- CVE-2017-7966
ICS-CERT reports that a relatively unskilled attacker (no
access characterization) could exploit the vulnerability to allow arbitrary
code execution and could cause the device that the attacker is accessing to
crash due to a buffer overflow condition.
NOTE: The Schneider
Security Notification only addresses the buffer overflow vulnerability.
Detcon Advisory
This advisory
describes two vulnerabilities in the Detcon SiteWatch Gateway. The
vulnerabilities were reported by Maxim Rupp. ICS-CERT reports that Detcon no
longer owns or services the SiteWatch Gateway product, but it attempting to
notify customers of the vulnerabilities.
The two reported vulnerabilities are:
• Improper authentication - CVE-2017-6049;
and
• Plaintext storage of passwords - CVE-2017-6047
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit these vulnerabilities to allow remote code execution. An
attacker who exploits these vulnerabilities may be able to change settings on
the affected product or obtain user passwords.
Posts
No comments:
Post a Comment