ICS-CERT Publishes 5 Advisories and 2 Updates

Today the DHS ICS-CERT published control system security advisories for products from WECON, Siemens, Ecava, PEPPERL+FUCHS and ABB. They also published updates for two previous published advisories for products from Siemens.

WECON Advisory

This advisory describes a heap-based buffer overflow in the WECON LeviStudio HMI. The vulnerability was reported by Michael DePlante working with the Zero Day Initiative (ZDI). WECON notes that the current version mitigates the vulnerability. There is no indication that DePlante was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to crash the device and a buffer overflow condition may allow remote code execution.

Siemens Advisory

This advisory describes a download of code without integrity check vulnerability in the Siemens LOGO! Soft Comfort engineering software product. The vulnerability was reported by Tobias Gebhardt. Siemens is providing SHA-256 checksums for all LOGO! Soft Comfort software packages via a secured HTTPS channel.

ICS-CERT reports that an uncharacterized attacker could remotely exploit the vulnerability to manipulate a software package during download. The Siemens security advisory reports that a successful exploitation would require that the attacker must be able to gain a privileged network position allowing him to capture and modify the affected system’s network communication.

Ecava Advisory

This advisory describes two SQL injection vulnerabilities in the Ecava IntegraXor. The vulnerabilities were independently reported by Steven Seeley of Source Incite, and Michael DePlante and Brad Taylor (working with ZDI). Ecava reports that a newer version mitigates the vulnerability. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to disclose sensitive information from the database or generate an error in the database log.

PEPPERL+FUCHS Advisory

This advisory describes the key reinstallation attacks (KRACK) vulnerabilities in various WLAN enabled products from PEPPERL+FUCHS. This report lists 9 of the 10 KRACK CVE’s. The vendor is still working on fixes for their Android® based products. For their Windows® based products they are recommending that users apply the security update provided by Microsoft. If users are using WPA-TKIP in their WLAN, users should switch to AES-CCMP immediately.

ABB Advisory

This advisory describes an unprotected transport of credentials vulnerability in the ABB Ellipse. ICS-CERT reports that this vulnerability was self-reported by ABB, but the ABB security advisory notes that ABB had received information about this vulnerability through responsible disclosure from an unnamed researcher. ABB has released product updates to mitigate the vulnerability.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to discover authentication credentials by sniffing the network traffic. ABB notes that local network access is required for the exploit.

NOTE: I reported on this vulnerability earlier this month.

Industrial Products Update

This update provides additional information on an advisory that was originally published on December 5^th, 2017. It provides updated affected version information and mitigation information for:

• SIMATIC S7-400 H V6: All versions prior to V6.0.8,

• SIMATIC S7-1500: All versions prior to V2.0,

• SIMATIC S7-1500 Software Controller: All versions prior to V2.0,

SCALANCE Update

This update provides additional information on an advisory that was originally published on November 14^th, 2017 and updated on December 5^th, 2017. It provides updated affected version information and mitigation information for:

• RUGGEDCOM RX1400 with WLAN interface: All versions prior to V2.11.2

• SIMATIC RF350M: All versions with Summit Client Utility prior to V22.3.5.16

• SIMATIC RF650M: All versions with Summit Client Utility prior to V22.3.5.16.

Note: Siemens has issued a separate security advisory for the last two products listed above. That advisory only lists two of the 10 KRACK CVEs instead of the 10 listed in the original Siemens KRACK advisory. It is not clear why ICS-CERT merged these two advisories.