ICS-CERT Publishes Two Advisories and Two Siemens Updates

Yesterday the DHS ICS-CERT published a medical device security advisory for products from Ethicon and a control system security advisory for products from Siemens. It also published two updates of control systems advisories for products from Siemens. The Siemens advisory and the two updates were announced by Siemens last week.

Ethicon Advisory

This advisory describes an improper authentication vulnerability in the Ethicon Endo-Surgery Generator Gen11. This vulnerability is apparently self-reported. A field cybersecurity update is reportedly being made available today. There is no FDA advisory for this vulnerability.

ICS-CERT reports that a highly skilled attacker with local access could exploit this vulnerability to allow for unauthorized devices to be connected to the generator, which could result in a loss of integrity or availability.

Siemens Advisory

This advisory describes multiple vulnerabilities in the Siemens SCALANCE, network interfaces. These vulnerabilities are being self-reported. Siemens is reporting work-around mitigation measures pending the development of updates for these products.

The reported vulnerabilities are:

•Uncontrolled resource consumption (3) - CVE-2017-13704, CVE-2017-14495, and CVE-2017-14496; and

• Improper restriction of operations within the bounds of a memory buffer - CVE-2017-14491

ICS-CERT reports that a relatively low skilled attacker with remote access could exploit these vulnerabilities to crash the DNS service or execute arbitrary code by crafting malicious DNS responses. The Siemens security advisory reports that the buffer vulnerability requires the attacker to be in a man-in-the-middle position to exploit the vulnerability.

S7-300 Update

This update provides new information on an advisory that was originally published on December 13^th, 2016 and then updated on May 9^th, 2017 and July 25^th. This update provides new version information and an update link for the SIMATIC S7-400 V6PN.

PROFINET 2 Update

This update provides new information on an advisory that was originally published on May 9^th, 2017 and updated on June 15, 2017,on July 25^th, 2017, on August 17^th, 2017, on October 10^th and most recently on November 14^th. This update provides new version information and update links for:

• SCALANCE X200: All versions prior to V5.2.2

• S7-400 PN/DP V6 Incl. F: All versions prior to V6.0.6

Missing Siemens Update

On the same day that Siemens announced their advisories for the updates listed above, they also announced an update for their advisory for the DROWN (Decrypting RSA with Obsolete and Weakened eNcryption; CVE-2016-0800) vulnerability in their industrial products. The ICS-CERT advisory for this vulnerability was last updated on July 15^th of this year.

OOPS. I missed the ICS-CERT update for this advisory (0725 EST 11-29-17).