ICS-CERT Publishes 2 Advisories and Updates Meltdown Alert

Yesterday the DHS ICS-CERT published two control system security advisories for products from Siemens and Phoenix Contact. They also updated their control system alert for the Meltdown and Spectre chip vulnerabilities.

Siemens Advisory

This advisory describes multiple vulnerabilities in the Siemens TeleControl Server Basic monitoring platform. The vulnerabilities were apparently self-reported by Siemens. Siemens has produced a new version that mitigates the vulnerabilities. Siemens has also produced work arounds to reduce the risks.

The three reported vulnerabilities are:

• Authentication bypass using an alternate path or channel - CVE-2018-4835;

• Permissions, privileges and access controls - CVE-2018-4836; and

• Uncontrolled resource consumption - CVE-2018-4837

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow for escalation of privileges to perform administrative actions. The Siemens security advisory notes that an attacker would require authenticated network access to exploit these vulnerabilities.

NOTE: This is the advisory I mentioned last week.

Phoenix Advisory

This advisory describes an improper validation of integrity check value vulnerability in the Phoenix mGuard network devices. This vulnerability was apparently self-reported. Phoenix has developed firmware updates to mitigate the vulnerability.

ICS-CERT reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to modify firmware update packages.

Meltdown Update

This update provides additional information on a control system alert that was originally published on January 11^th, 2018 and updated on January 16^th, 2018 and on January 17^th, 2018. The update provides links to new vendor reports for products from:

• Medtronic: http://www.medtronic.com/us-en/product-security/security-updates.html

The following previously published links to vendor sites contain new information:

• ABB – The updated page provides links to product specific information for System 800xA and  Symphony Plus;

• Medtronic – “no evidence suggests that Medtronic products are directly impacted”;

• Rockwell – linked document (log in required) provides updated Microsoft patch compatibility information;

• Schneider – Added Appendix A to security notification to provide product specific information;