Thursday, January 5, 2012

ICS-CERT Updates an Advisory and Issues New Siemens Advisory

Earlier today the DHS Industrial Control System Cyber Emergency Response Team (ICS-CERT) updated a month old advisory for an Invensys product and issued a new advisory for another Siemens control system product.

Invensys Advisory Update

It’s a good thing that there was a new advisory issued today because the change on the Invensys Wonderware InBatch advisory is a small update that probably would not have been worth a standalone blog entry. ICS-CERT changed the CVE file number (CVE-2011-4870) for the vulnerability. The CVE number (CVE-2011-3141) in the original version of the advisory pointed at a different Invensys vulnerability file from August 16th of this year.

BTW: Last week ICS-CERT started explaining the delay in activating the CVE files. The explanation is contained in the footnote containing the file link. That explanation has been on every advisory since the Siemens advisory of December 27th and it reads:

“NIST uses this advisory to create the CVE website report. This website will be active sometime after publication of this advisory.”

New Siemens Advisory

The Siemens advisory deals with two ActiveX component vulnerabilities in the Siemens FactoryLink application. Reported by Kuang-Chun Hung of Taiwan’s Information and Communication Security Technology Center (ICST) was released on the US-CERT secure portal last month.

A buffer overflow vulnerability could allow a moderately skilled attacker to remotely execute arbitrary code via a social engineering attack. The second vulnerability is a data corruption vulnerability that would also require a moderately skilled attacker to use a social engineering attack vector.

Siemens has released a patch to address these vulnerabilities and ICS-CERT is also recommending that owner/operators should install Microsoft Security Advisory 2562937 as another part of the mitigation program for this system.

No comments:

/* Use this with templates/template-twocol.html */