Yesterday ICS-CERT published an alert for the Intel Meltdown
and Spectre vulnerabilities. They published three control system security
advisories for products from Phoenix Contact, Moxa, and WECON. They also
updated a previously published advisory for products from Advantech.
Meltdown Alert
This alert
describes the CPU hardware
vulnerable to side-channel attacks vulnerabilities known as Meltdown and Spectre. The alert provides links to the
following vendor notifications about these vulnerabilities:
• ABB;
• Becton, Dickinson and Company (BD);
• Rockwell
Automation (account required for login); and
• Siemens
The alert also provides a generic link to the ICS-CERT recommended
practices page. It is disappointing that, in light of the problems seen with
the Windows Update for Meltdown seen on some systems (here
and here
for example), ICS-CERT has not specifically mentioned the need for checking any
updates on a test platform before uploading to a live control system.
Phoenix Contact Advisory
This advisory
describes two vulnerabilities in the Phoenix Contact FL Switch product line.
The vulnerabilities were reported by Ilya Karpov and Evgeniy Druzhinin of
Positive Technologies. Newer versions of the firmware mitigate these
vulnerabilities. There is no indication that the researchers were provided an opportunity
to verify the efficacy of the fix.
The two reported vulnerabilities are:
• Improper authorization - CVE-2017-16743;
and
• Information exposure - CVE-2017-16741
ICS-CERT reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to gain administrative privileges
and expose information to unauthenticated users.
Moxa Advisory
This advisory
describes an unquoted search path vulnerability in the Moxa MXview network
management software. The vulnerability was reported by Karn Ganeshen. Moxa has
produced a firmware update that mitigates the vulnerability. There is no
indication that Ganeshen was provided an opportunity to verify the efficacy of
the fix.
ICS-CERT reports that a relatively low-skilled attacker with
locally authorized access could exploit the vulnerability to escalate
privileges by inserting arbitrary code into the unquoted service path.
WECON Advisory
This advisory
describes two vulnerabilities in the WECON LeviStudio HMI Editor. The
vulnerabilities were reported by Sergey Zelenyuk of RVRT, HanM0u of CloverSec
Labs, and Brian Gorenc via the Zero Day Initiative. The latest version of the
software mitigates the vulnerability. There is no indication that the
researchers have been provided an opportunity to verify the efficacy of the
fix.
The two reported vulnerabilities are:
• Stack-based buffer overflow - CVE-2017-16739;
and
• Heap-based buffer overflow - CVE-2017-16737
ICS-CERT reports that a relatively low-skilled attacker could
remotely exploit these vulnerabilities to effect arbitrary code execution.
Advantech Update
This update updates
information on an advisory that was originally
published on January 4th, 2018. This update adds two vulnerabilities
to those previously reported:
• Unrestricted upload of file with
dangerous type - CVE-2017-16736 and
• Use after free - CVE-2017-16732
Posts
No comments:
Post a Comment