ICS-CERT Publishes an Advisory and an Update for Siemens Products

Today the DHS ICS-CERT published a new control system security advisory and an updated advisory for products from Siemens.

Siemens Advisory

This advisory describes multiple vulnerabilities in the Siemens SIMATIC WinCC Add-On (license manager software). The vulnerabilities were reported by Sergey Temnikov and Vladimir Dashchenko from Kaspersky Lab. Siemens reports that a third party supplier (Gemalto) has released an updated installer that mitigates the vulnerabilities. The Siemens security advisory reports that SIMATIC WinCC Add-Ons released in 2015 and earlier include a vulnerable version of Gemalto Sentinel LDK RTE. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Stack-based buffer overflow (2) - CVE-2017-11496 and CVE-2017-11497; and

• Improper input validation - CVE-2017-11498

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow remote code execution or a denial of service condition.

NOTE: Looking at the Gemalto product page, it looks like they may have sold this product to multiple vendors. It will be interesting to see if other vendors come forward to recommend installing the same (or similar) updates to their systems.

Siemens Update

This update provides new information for an advisory that was originally published on May 9^th, 2017 and updated on June 15, 2017,on July 25^th, 2017, on August 17^th, 2017, on October 10^th, on November 14^th, and most recently November 28^th. The update provides new version information and mitigation links for:

• SIMOCODE pro V PROFINET: All versions prior to V2.0.0

NOTE: The latest version of this Siemens security advisory is in their new format which makes checking against previous versions potentially tedious. Fortunately, Siemens (as opposed to ICS-CERT) annotates the specific changes made (as opposed to noting the section in which the changes were made) to their advisories.

Other Siemens Notes

Siemens also published two other advisory documents today that did not make it into the ICS-CERT publication schedule. One was a new advisory and one was an update. Since tomorrow is Friday and ICS-CERT seldom publishes advisories on Friday, I suspect that we will see these two next week.