ICS-CERT Published an Alert, an Advisory and 4 Updates

Today the DHS ICS-CERT published a control system security alert for the CRASHOVERRIDE malware and a control system security advisory for products from NXP. The NXP advisory was previously published on the NCCIC Portal on June 1^st, 2017. ICS-CERT also updated four previously issued control system advisories for products from Siemens (3) and GE.

CRASHOVERRIDE Alert

This alert briefly describes the CRASHOVERRIDE malware. This malware was previously identified by ESET (on June 12^th), Dragos (on June 12^th) and US CERT (on June 12^th) which ICS-CERT fully credits. All three reports provide much more information than does the ICS-CERT Alert. ICS-CERT has provided a different set of YARA rules for the detection of the malware than those previously published by Dragos. The ICS-CERT rules appear to target different portions of the malware.

NXP Advisory

This advisory describes two vulnerabilities in the NXP i.MX Devices, used on logic boards. The vulnerabilities were reported by Quarkslab. These are hardware vulnerabilities that generally cannot be corrected by a software fix. ICS-CERT notes that the vulnerabilities “are only exploitable when the device is placed in security enabled mode”.

The two reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2017-7936; and

• Improper certificate validation - CVE-2017-7932

ICS-CERT reports that a successful attack (by an uncharacterized attacker with uncharacterized access) could exploit the vulnerability to create a denial of service attack or to load an unauthorized image on the device affecting secure boot.

NOTE: These are not stand-alone devices, they are chip sets found on circuit boards on unnamed devices from unnamed supplier. Hopefully one (or more) of those downstream suppliers will develop a successful mitigation for this problem on their devices. But, it has been almost two months since notification was made to those vendors….

S7-300 Update

This update provides new information on an advisory that was originally published on December 13^th, 2016 and then updated on May 9^th, 2017. The update provides a link to a firmware update for the  S7-CPU 410 CPUs.

GE Update

This update provides new information on an advisory that was originally published on April 27^th, 2017, and updated on May 18^th, 2017. The new update identifies 8 legacy products that are affected by the vulnerability. It also provides links to previously identified firmware versions and newly mitigated products, including the newly identified legacy products. The firmware update for the URplus platform is still expected to be released this month.

PROFINET 1 update

This update provides new information on an advisory that was originally published on May 9^th, 2017 and updated on June 15^th, 2017, on June 20^th, 2017, and again on July 6^th, 2017. The update provides updated version information and mitigation information for the SINEMA Server: All versions < V14.

PROFINET 2 update

This update provides new information on an advisory that was originally published on May 9^th, 2017 and updated on June 15, 2017. The update provides new affected version information and mitigation links for:

• SCALANCE XM400, XR500: All versions prior to V6.1;

• S7-400 PN/DP V6 Incl. F: All versions;

• S7-400-H V6: All versions prior to V6.0.7;

• S7-400 PN/DP V7 Incl. F: All versions;

• S7-410: All versions prior to V8.2;

• SINAMICS S110 w. PN: All versions prior to V4.4 SP3 HF5;

• SINAMICS S120 V4.7: All versions prior to V4.7 H27; and

• SINAMICS V90 w. PN: All versions prior to V1.1