Thursday, February 15, 2018

ICS-CERT Publishes 4 Advisories and One ABB Update


Today the DHS ICS-CERT published four new control system security advisories for products from Schneider Electric (2), GE and Nortek. Additionally, they provided an update for a previously published advisory for products from ABB.

StructureOn Advisory


This advisory describes an unrestricted upload of file with dangerous type vulnerability in the Schneider StruxureOn Gateway software management program. The vulnerability is being self-reported.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to upload a malicious file to any directory on the device, which could lead to remote code execution. The Schneider security advisory reports that the file must be a .zip file with specifically modified metadata for this vulnerability to be exploited.

IGSS Mobile Advisory


This advisory describes two vulnerabilities in the Schneider IGSS Mobile application (iOS and Android). The vulnerabilities were reported by Alexander Bolshev (IOActive) and Ivan Yushkevich (Embedi). Schneider has produced updates for both versions. There is no indication that either researcher has been provided an opportunity to verify the efficacy of the fix.



The two reported vulnerabilities are:

• Improper certificate validation - CVE-2017-9968; and
Plaintext storage of password - CVE-2017-9969

ICS-CERT reports that a relatively low-skilled attacker with local access (okay they, actually said: “Locally exploitable”; that may not mean ‘local access’) could exploit the vulnerability to execute a man-in-the-middle attack. In addition, passwords can be accessed by unauthorized users.

NOTE: Marc Ayala pointed out to me that anyone can download these apps from the appropriate (iOs/Android) app store. This means that it would be easy to exploit a compromised mobile password. All the attacker needs to do is to get access to the IGSS configuration file on an oh so secure smart phone to compromise the password.

GE Advisory


This advisory describes two vulnerabilities in the GE D60 Line Distance Relay. The vulnerabilities were reported by Kirill Nesterov of Kaspersky Labs. GE has released new firmware that mitigates the vulnerability. There is no indication that Nesterov was provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2018-5475; and
• Improper restriction of operations within bounds of memory buffer - CVE-2018-5473

ICS-CERT reports that relatively low-skilled attacker could remotely exploit the vulnerability to execute arbitrary code on the device.

Nortek Advisory


This advisory describes a command injection vulnerability in the Nortek Linear eMerge E3 Series access control interface. The vulnerability was reported by Evgeny Ermakov and Sergey Gordeychik. Nortek recommends upgrading the system using established procedures. There is no indication that either researcher was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability  to execute malicious code on the system with elevated privileges, allowing for full control of the server.

ABB Update


This update provides additional information on an advisory that was originally published on November 14th, 2017. The update reports that the new update of Mesh OS mitigates the KRACK vulnerability in these devices.

NOTE: The updated ABB security advisory that forms the basis for this ICS-CERT update was published on January 11th, 2018.

No comments:

 
/* Use this with templates/template-twocol.html */