ICS-CERT Publishes 3 Advisories and 5 Siemens Updates

Today the DHS ICS-CERT published two control system security advisories for products from Siemens and Nari as well as a medical control system security advisory for products from Philips. They also updated five control system security advisories from Siemens.

Philips Advisory

This advisory describes an insufficient session expiration advisory for the Philips IntelliSpace Cardiovascular cardiac image and information management systems. According to the Philips product security page this vulnerability was identified based upon a customer submitted complaint. Philips plans on releasing an updated version to mitigate the vulnerability.

ICS-CERT reports that a relatively low-skilled attacker with local access could exploit the vulnerability  to gain unauthorized access to sensitive information stored on the system and modify this information.

NOTE: This vulnerability was not reported on the FDA medical device safety communications page, probably because an exploit would only reveal personally identifiable information making this more of a HIPAA problem. Unfortunately, I cannot find (after an admittedly brief search) a software vulnerability reporting page on the HHS HIPAA site.

Siemens Advisory

This advisory describes an improper authentication vulnerability in the Siemens Desigo PXC. The vulnerability was reported by Can Demirel and Melih Berk Eksioglu from Biznet Bilisim. Siemens has provided an updated version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit this vulnerability to  allow unauthenticated remote attackers to upload malicious firmware without prior authentication.

BTW: Siemens tweeted this morning about another new advisory that they have just published. That will probably show up next week on the ICS-CERT site.

Nari Advisory

This advisory describes an improper input validation vulnerability in the Nari PCS-9611 relay, a control and monitoring unit. The vulnerability was reported by Kirill Nesterov and Alexey Osipov from Kaspersky Labs. Nari has not responded to ICS-CERT about this reported vulnerability.

ICS-CERT reports that a relatively low-skilled attacker could use a publicly available exploit to remotely exploit the vulnerability to gain arbitrary read/write abilities on the system.

Industrial Products (older advisory) Update

This update provides new information for an advisory that was advisory originally issued on November 8, 2016 and then updated November 22^nd, 2016; December 23^rd, 2016; February 14^th, 2017; March 2^nd, 2017,  May 9^th, 2017, and again on June 20^th, 2017. The new information includes new affected version data and mitigation links for:

• SINEMA Remote Connect Client: All versions prior to V1.0 SP3;

NOTE: The revised Siemens security notice also changed the temporary mitigation measures for SIMATIC PCS 7 V8.1, but that was not mentioned in the ICS-CERT update.

S7-300 Update

This update provides new information for an advisory that was originally published on December 13^th, 2016 and then updated on May 9^th, 2017, July 25^th, 2017, and again on November 28^th, 2017. The new information includes the addition of two new affected products along with mitigation links:

• SIMATIC S7-400 V7 CPU family; and

• SIMATIC S7-410 V8 CPU family

NOTE: The revised Siemens security notice reports that the S7-410 V8 CPU family is only affected by the inadequate encryption strength vulnerability.

PROFINET Update

This update provides new information for an advisory that was originally published on May 9^th, 2017 and updated on June 15, 2017,on July 25^th, 2017, on August 17^th, 2017, on October 10^th, on November 14^th,  November 28^th, 2017, and most recently January 18^th, 2018. The new information includes new affected version data and mitigation links for:

• S7-400 PN/DP V7 Incl. F: All versions prior to V7.0.2

• SINAMICS DCP w. PN: All versions prior to V1.2 HF 1

SCALANCE Update

This update provides new information for an advisory that was originally published on November 14^th, 2017 and updated on December 5^th, 2017, and again on December 19^th, 2017. The new information includes new affected version data and mitigation links for:

• SCALANCE WLC711: All versions prior to V9.21.19.003; and

• SCALANCE WLC712: All versions prior to V9.21.19.003

Industrial Products (newer advisory) Update

This update provides new information for an advisory that was originally published on December 5th, 2017 and updated on December 19th, 2017 and again on January 23^rd, 2018. The new information includes new affected version data and mitigation links for:

• SIMATIC S7-400 PN/DP V7: All versions prior to V7.0.2; and

• SIMATIC ET 200MP: All versions prior to V4.0.2

Commentary

Even if Siemens does not issue any more multiple product advisories in the near future (not likely, they have obviously shared a bunch of code across product lines over the years) we will continue to see large numbers of these advisory updates over the next year or so. Unfortunately, while vulnerable code is relatively easy to share, fixes cannot be cut and pasted so easily; too many dependencies, loops, etc. to check and modify as necessary. These time and resource-consuming exercises being undertaken by Siemens are a good example of why secure coding practices are so important; it really is easier over the life of the product to do it right the first time.

It would really be a good cybersecurity grad-student project to look at the costs that Siemens is expending to go back and correct mistakes that should have been caught before they ever made it to market.