Friday, September 22, 2017

ICS-CERT Publishes 5 Advisories

Yesterday the DHS ICS-CERT published five control system security advisories for products from Schneider, Ctek, Digium, iniNet Solutions, and Saia Burgess Controls. The advisory for the products from Saia Burgess Controls was originally posted to the NCCIC Portal on August 22, 2017.

Saia Burgess Controls Advisory


This advisory describes an information exposure vulnerability in the Saia Burgess Controls PCD Controllers. The vulnerability was reported by Davide Fauri of Eindhoven University of Technology. The latest version of the firmware mitigates the vulnerability. There is no indication that Fauri has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to to obtain information in memory.

The SBC upgrade notes also report that the current version makes the following security changes:

• Protective functions are activated by default;
• Improved password protection associated with the role-based user management;
• Access filter using "white" and "black" lists;
• Removed hardcoded password [NOT mentioned in ICS-CERT advisory].

Similar changes were also apparently made to the SBC PG5 Controls Suite.

iniNet Solutions Advisory


This advisory describes an improper authentication vulnerability in the iniNet Solutions SCADA Webserver. The vulnerability was reported by Matthias Niedermaier and Florian Fischer, both of Augsburg University of Applied Sciences. iniNet has released a new version that allows users to implement basic authentication. There is no indication that the researchers were afforded an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability  to access human-machine interface (HMI) pages or to modify programmable logic controller (PLC) variables without authentication.

Digium Advisory


This advisory describes an OS command injection vulnerability in the Digium Asterisk GUI. The vulnerability was reported by Davy Douhine of RandoriSec. Asterisk GUI is no longer maintained and should not be used. Digium recommends affected users to migrate to Digium’s SwitchVox product.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability  to execute arbitrary code on the device.

Interesting Questions: Would owners of a control system that uses an HMI configured with Digium’s Asterix GUI even know that it had been used, particularly if the system had been designed by a contractor or vendor? Would it take a complete system redesign to change out the GUI for an HMI?

Ctek Advisory


This advisory describes an improper authentication vulnerability in the Ctek SkyRouter. The vulnerability was reported by Maxim Rupp. The latest firmware version mitigates this and “additional security requirements”. NOTE: “Ctek, Inc., reports that due to industry demand, wireless carriers are rapidly eliminating 2G and 3G CDMA service and they will not be creating any additional update releases for those products.” There is no indication that Rupp was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to view and edit settings without authenticating.

Schneider Advisory


This advisory describes a missing authentication for critical function vulnerability in the Schneider InduSoft Web Studio products. The vulnerability was reported by Aaron Portnoy, formerly of Exodus Intelligence. Schneider has created a patch to mitigate the vulnerability. There is no indication that Portnoy was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability  to remotely execute arbitrary commands with high privileges.


NOTE: The Schneider security bulletin was published last Friday. Maybe Dale Peterson was right, it looks like ICS-CERT is doing ‘ICS-vuln Thursday’.

No comments:

 
/* Use this with templates/template-twocol.html */