Today ICS-CERT published a medical device security advisory
for products from Philips. Three previously published industrial control system
security advisories for products from Siemens (2) and Marel were updated with
new information.
Philips Advisory
This advisory
describes two vulnerabilities in the Philip DoseWise Portal (DWP) web
application. The vulnerability was self-reported by Philip. ICS-CERT is
reporting that Philip will be supplying a new product version later this month
to mitigate the vulnerability.
ICS-CERT reports that an uncharacterized attacker could
remotely exploit these vulnerabilities to gain access to the database of the
DWP application, which contains patient health information (PHI). Potential
impact could therefore include compromise of patient confidentiality, system
integrity, and/or system availability.
NOTE: the Philips security
page notes that the discovery of these vulnerabilities was based upon the
findings of a customer submitted complaint and vulnerability report.
Marel Update
This update
provides additional information on an advisory that was originally
published on March 4th, 2017. The new information includes:
• Clarification of affected
equipment;
• Adds a notice of an upcoming
(10-1-17) update for the Pluto based systems;
• Explains that the M3000 terminal
based products reached the end of their supported life in 2012;
• Added a new improper access
control vulnerability to the advisory; and
• Added a
link to the recently published Marel security notification
Comment: In the
original advisory, the stand-alone statement “Marel has not produced an update
to mitigate these vulnerabilities” seemed to indicate that Marel was not being
cooperative. It now seems more that they were being slow to move forward and
perhaps did not understand the need to communicate with ICS-CERT. Either that,
or the publication of the ICS-CERT advisory was a slap in the corporate face
that woke Marel up and got them to work on the vulnerability. I cannot tell
which (properly so) from the ICS-CERT publication. In either case mitigations
appear to be on the way.
It might be helpful if ICS-CERT had some sanction available
that could provide some sort of intermediate push between doing nothing and
publishing a zero-day that could put system owners at risk. The goal is to get
a mitigation in place as soon as practicable and ICS-CERT has no authority to
provide impetus to require recalcitrant vendors to do something.
PROFINET 1 Update
This update
provides additional information on an advisory that was originally
published on May 9th, 2017 and updated
on June 15th, 2017, on June
20th, 2017, on July
6th, 2017, and again on July
25th, 2017. The update provides new affected version information
and mitigation links for:
• STEP 7 - Micro/WIN SMART: All
versions prior to V2.3;
• SIMATIC Automation Tool: All
versions prior to V3.0; and
• SINUMERIK 808D Programming Tool:
All versions prior to V4.7 SP4 HF2
PROFINET 2 Update
This update
provides additional information on an advisory that was originally
published on May 9th, 2017 and updated
on June 15, 2017, and again on July
25th, 2017. The update provides new affected version information
and mitigation links for:
• SIMATIC CP 1543SP-1, CP 1542SP-1
and CP 1542SP-1 IRC: All versions prior to
V1.0.15,
• SIMATIC ET 200SP: All versions
prior to V4.1.0,
• SIMATIC S7-200 SMART: All
versions prior to V2.3,
• SINUMERIK 828D – V4.5 and prior:
All versions prior to V4.5 SP6 HF2
Missing Siemens Updates and Advisories
ICS-CERT has yet to publish update or advisory for the
following TWITTER® announcements from Siemens:
An advisory
has been updated: SSA-286693: Vulnerabilities in Laboratory Diagnostics
Products from Siemens; Aug 7th, 2017;
A new advisory
has been published: SSA-131263: SMBv1 Vulnerabilities in Mobilett Mira Max from
Siemens Healthineers; Aug 7th, 2017
Posts
No comments:
Post a Comment