ICS-CERT Publishes 3 Advisories and Updates 2

Yesterday the DHS ICS-CERT published one medical system security advisory and two control system security advisories. Those advisories were for products from Philips, ABB and Siemens. They also updated two Siemens advisories.

Philips Advisory

This advisory describes an insufficiently protected credentials vulnerability in the Philips IntelliSpace Cardiovascular and Xcelera cardiac image and information management systems. This vulnerability were apparently self-reported. The Philips security page notes that the vulnerability was reported to Philips by a customer. Philips has produced a hot fix update to mitigate the vulnerability.

ICS-CERT reports that an uncharacterized attacker could remotely exploit this vulnerability to access sensitive information stored on the system, modify device configuration, and gain access to connected devices.

NOTE: The Philips security page also has a note about the KRACK vulnerability potential effect on Philips products. Research is ongoing at Philips.

ABB Advisory

This advisory describes multiple security features vulnerabilities in the ABB TropOS. These are the KRACK vulnerabilities in this product that I discussed earlier. ICS-CERT reports that ABB is still working on mitigation measures.

ICS-CERT reports that an uncharacterized attacker within radio range of the product could exploit these vulnerabilities to decrypt, replay, and forge some frames on a WPA2 encrypted network.

Siemens Advisory

This advisory describes multiple security features vulnerabilities in the Siemens SCALANCE, SIMATIC, RUGGEDCOM, and SINAMICS Products. These are the KRACK vulnerabilities. Siemens is continuing to work on updates.

ICS-CERT reports that an uncharacterized attacker within radio range of the product could exploit these vulnerabilities to decrypt, replay, and forge some frames on a WPA2 encrypted network.

PROFINET 1 Update

This update provides new information for an advisory that was originally published on May 9^th, 2017 and updated on June 15^th, 2017, on June 20^th, 2017, on July 6^th, 2017, on July 25^th, 2017 on August 17^th, 2017 and most recently on October 10^th. The update provides new affected version information and mitigation links for:

• SIMATIC NET PC-Software: All versions prior to V14 SP1

PROFINET 2 Update

This update provides new information for an advisory that was originally published on May 9^th, 2017 and updated on June 15, 2017,on July 25^th, 2017, on August 17^th, 2017, and most recently on October 10^th. The update provides new affected version information and mitigation links for:

• Softnet PROFINET IO for PC-based Windows systems: All versions prior to V14 SP1

• SIMATIC ET 200AL: All versions prior to V1.0.2

KRACK Commentary

ICS-CERT publishes two vendor reports (one two-week old and the other almost a week old) of the KRACK vulnerability in wireless networks (and misses the publicly available information from a third vendor), and still does not see a problem common to all industrial and medical control systems that allow for wireless access, a problem severe enough to provide an alert on the vulnerabilities? SHAME on DHS for allowing this blindness to continue.