ICS-CERT Publishes 2 Advisories and Updates 2 Siemens Advisories

Yesterday the DHS ICS-CERT published two control system security updates for products from Siemens and Advantech. They also updated to previously published advisories for products from Siemens.

Siemens Advisory

This advisory describes an improper input validation vulnerability in the Siemens Industrial Products. The vulnerability is self-reported. Siemens has provided several firmware updates to mitigate the vulnerability in many of the affected devices; work is ongoing for the remaining devices.

ICS-CERT reports that a relatively low-skilled attacker could remotely (with access to the local Ethernet segment) exploit the vulnerability to enter a denial-of-service condition, which may require human interaction to recover the system. The Siemens security advisory notes that: “Specially crafted PROFINET DCP broadcast packets could cause a Denial-of-Service condition of affected products on a local Ethernet segment (Layer 2). Human interaction is required to recover the systems. PROFIBUS interfaces are not affected.”

Advantech Advisory

This advisory describes two vulnerabilities in the Advantech WebAccess/SCADA platform. The vulnerability was reported by rgod via the Zero Day Initiative (ZDI). Advantech has released a new version to mitigate the vulnerability. There is no indication that rgod was provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Path traversal - CVE-2018-5445; and

• SQL injection - CVE-2018-5443

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow sensitive information to be disclosed from the target or database without authentication.

Industrial Products Update

This update provides additional information on an advisory that was originally published on December 5th, 2017 and updated on 12-19-17. The update provides updated affected version information and mitigation links for:

• SINAMICS S110 w. PN: All versions prior to V4.4 SP3 HF6; and

• SINAMICS V90 w. PN: All versions prior to V1.02

PROFINET Update

This update provides additional information on an advisory that was was originally published on May 9^th, 2017 and updated on June 15, 2017,on July 25^th, 2017, on August 17^th, 2017, on October 10^th, 2017, and most recently on November 14^th, 2017. The update provides updated affected version information and mitigation links for:

• SMART PC Access V2.3;

NOTE: Siemens announced this morning on TWITTER five new vulnerability updates and a new product vulnerability. It is going to be a long week.

Follow-up on Gemalto Vulnerabilities

Last week I made a comment in my post about the Siemens announced vulnerabilities in their implementation of the Gemalto Sentinel LDK RTE about multiple vendors probably being affected. Yesterday I saw an interesting article by Eduard Kovacs at SecurityWeek which lead to the Kaspersky report on the Gemalto vulnerabilities. Kaspersky is reporting 14 separate vulnerabilities in earlier versions of the Gemalto product, not just the two Siemens reported in their implementation. They also note that the vulnerable product may be in use by as many as 40,000 vendors world-wide including at least three additional ICS vendors; ABB, General Electric, and HP.

I hate to sound repetitive (but I will bang this drum as often as necessary), but software developers that use third party products have not only got to do a better job of vetting the security of those products, but they also have a moral (and probably legal) responsibility to update their own products (and notify their customers about the vulnerabilities) when vulnerabilities are discovered in 3^rd party components.

ICS-CERT also needs to consider expanding their vulnerability coordination role to try to reach out to additional vendors when these third-party vulnerabilities are reported. Now I realize that ICS-CERT does not generally know who uses what third-party components, but there are multiple ways that they could effectively reach out to large portions of the ICS vendor community. One would be to use a mailing list approach to send out private alerts to all ICS vendors with which they have coordinated vulnerabilities in the past. Another would be for those alerts to be made public on their web site.