Thursday, July 6, 2017

ICS-CERT Publishes 5 Advisories and 2 Updates

Today the DHS ICS-CERT published five control system security advisories, two products from Schneider Electric and three from Siemens. It also published updates for two previously published advisories for products from Siemens.

Ampla Advisory


This advisory describes two vulnerabilities in the Schneider Ampla MES products. The vulnerabilities were reported by Ilya Karpov from Positive Technologies. Schneider reports that the current version of the products mitigates the vulnerability. There is no indication that Karpov has been provided an opportunity to verify the efficacy of the fix.

The reported vulnerabilities are:

• Clear text transmission of sensitive information - CVE-2017-9637; and
• Inadequate encryption strength - CVE-2017-9635

ICS-CERT reports that a relatively unskilled attacker (with uncharacterized access) can exploit the vulnerabilities to connect to third party databases or compromise credentials of Ampla users configured with Simple Security. The Schneider security bulletin notes that configuring the products configured with Windows Integrated Security avoid these vulnerabilities.

Comment: I always wonder when a current version of a product mitigates a previously unreported vulnerability in earlier versions if the problem was corrected by ‘accident’ or if the vendor had discovered the vulnerability and fixed it without specifically identifying the vulnerability to its customers. If it is the later, they are doing their customers a disservice by not identifying the vulnerability so that owners can make an appropriate, risk-based decision to upgrade or not.

Wonderware Advisory


This advisory describes three vulnerabilities in the Schneider Wonderware ArchestrA Logger. The vulnerability was reported by Andrey Zhukov of USSC. Schneider has developed a security patch to mitigate the vulnerability. There is no indication that Zhukov was provided an opportunity to verify the efficacy of the fix. The Schneider security bulletin, however, indicates that Zhukov has verified the efficacy of the fix.

The reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2017-9629;
• Uncontrolled resource consumption - CVE-2017-9627; and
• Null pointer deference - CVE-2017-9631

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerabilities to execute code or cause a denial of service.

SIPROTEC Advisory


This advisory describes six vulnerabilities in the Siemens SIPROTEC 4 and SIPROTEC Compact devices. Siemens has self-reported the vulnerability. Siemens developed a firmware updates to mitigate the vulnerability.

The reported vulnerabilities are:

• Improper input validation - CVE-2015-5374 and CVE-2016-7113;
• Missing authorization - CVE-2016-4784, CVE-2016-4785, and CVE-2016-7112; and
• Improper authentication - CVE-2016-7114

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to allow an attacker access to sensitive information, or allow an attacker to perform administrative functions. The Siemens security advisory reports that two of the vulnerabilities could allow the attacker to conduct a denial of service attack.

Reyrolle Advisory


This advisory describes five vulnerabilities in the Siemens Reyrolle products. Siemens has self-reported the vulnerability. Siemens has developed a new firmware version to mitigate the vulnerabilities.

The reported vulnerabilities are:

• Missing authorization - CVE-2016-4784, CVE-2016-4785 and CVE-2016-7112;
• Improper input validation - CVE-2016-7113; and
• Improper authentication - CVE-2016-7114

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerabilities to access sensitive device information, circumvent authentication, and perform administrative actions. The Siemens security bulletin notes that an attacker needs to have network access to the device.

OZW672 and OZW772 Advisory


This advisory describes two vulnerabilities in the Siemens OZW672 and OZW772 devices. The vulnerabilities were reported by Stefan Viehböck from SEC Consult. Siemens has provided work arounds to mitigate the vulnerabilities, but there is no indication that a more permanent fix is in the offing.

The two reported vulnerabilities are:

• Missing authentication for critical function - CVE-2017-6872 and CVE-2017-6873

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerabilities to read and write historical measurement data under certain conditions, or to read and modify data in TLS sessions.

PROFINET Update


This update provides new information on an advisory that was originally published on May 9th, 2017 and updated on June 15th, 2017, and then again on June 20th, 2017. The update provides new affected version information and mitigation measures for SIMATIC PCS 7: All versions prior to V9.0.

SIMATIC Update


This update provides new information on an advisory that was originally published on February 14th, 2017 and updated on June 15th, 2017. The update provides new affected version information for:

• SIMATIC PCS 7: All versions prior to V9.0, and

• SIMATIC PDM: All versions prior to V9.1

No comments:

 
/* Use this with templates/template-twocol.html */