Thursday, December 7, 2017

ICS-CERT Publishes 3 Advisories and 1 Alert

Today the DHS ICS-CERT published three control system security advisories for products from Phoenix Contact, Rockwell and Xiongmai Technology. The also published a control system security alert for a WAGO programable logic controller (PLC).

Phoenix Contact Advisory


This advisory describes a cross-site scripting vulnerability in the Phoenix Contact FL COMSERVER, FL COM SERVER, and PSI-MODEM/ETH industrial networking equipment. The vulnerability was reported by Maxim Rupp. Phoenix Contact has released new firmware versions to mitigate the vulnerabilities. There is no indication that Rupp was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to change configuration variables on the device. The VDE-CERT advisory notes that network access is required to exploit the vulnerability.

Rockwell Advisory


This advisory describes an improper input validation vulnerability in the Rockwell FactoryTalk Alarms and Events component of the Factory Talk Services Platform. The vulnerability was reported by an unnamed major oil and gas company. ICS-CERT reports that newer versions or existing patches mitigate the vulnerability.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to cause a denial of service condition in the in the history archiver service running on FactoryTalk Alarms and Events.

QUESTIONS: Does it seem odd to anyone else that a ‘major oil and gas company’ would be using an out-of-date version of this product? Or is this a problem that is endemic to the ICS user community? Did Rockwell notify their customers (or even just their major customers) when they discovered and fixed this vulnerability? (It does not sound like it.)

Xiongmai Technology Advisory


This advisory describes a stack-based buffer overflow vulnerability in the Xiongmai IP Cameras and DVRs. The vulnerability was reported by Clinton Mielke. ICS-CERT reports that has not responded to requests to coordinate with NCCIC/ICS-CERT.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to cause the device to reboot and return to a more vulnerable state in which Telnet is accessible.

WAGO Alert


This alert describes an unconfirmed improper authentication vulnerability in the WAGO PFC200 PLC. This is the vulnerability that I discussed almost a week ago. SEC Consult reported that they had coordinated with CODESYS and that the vendor was planning on issuing a patch next month.

I am not sure why ICS-CERT issued an alert for the WAGO vulnerability and an advisory for the Xiongmai vulnerability. It would seem to me that those reporting formats probably should have been reversed.


NOTE: There is still no word on the Hikvision vulnerability that I reported in the same blog post as this WAGO vulnerability.

No comments:

 
/* Use this with templates/template-twocol.html */