ICS-CERT Monthly Monitor and Multiple WinCC Vulnerabilities

Today DHS ICS-CERT published their latest Monthly Monitor and a new advisory for multiple vulnerabilities in Siemen’s WinCC.

Monthly Monitor

The August 2012 ICS-CERT Monthly Monitor was published today. Some interesting topics are included in this issue including medical device vulnerabilities, Indian grid failure, and new disclosure policies. Unfortunately, none of them are up to the typical level of detail we’ve come to expect from ICS-CERT. Summer is a slow time for many news organizations and it appears to have affected the latest issue of the Monthly Monitor. We’ll wait for the September issue.

Siemens Vulnerabilities

Siemens is reporting five vulnerabilities in its WinCC WebNavigator. These were originally reported to Siemens by Positive Technologies. The vulnerabilities include:

• Reflected cross site scripting, CVE-2012-3031;

• Cross site request forgery, CVE-2012-3028;

• Forceful browsing, CVE-2012-3030;

• SQL injection, CVE-2012-3032; and

• ActiveX, CVE-2012-3034.

An attacker with medium skills could remotely exploit these common browser vulnerabilities. Siemens has an update for WinCC 7.0 SP2 that fixes four of these vulnerabilities. The cross site request forgery vulnerability has yet to be patched. For that vulnerability, as an interim solution, Siemens recommends:

• Do not interact with other Internet-related services while being logged in.

• Log out when WebNavigator is not needed any more.

This is the second web browser vulnerability report in a week in a major control system product. Folks like Microsoft have been dealing with these types of vulnerabilities for a large number of years. I won’t be surprised if researchers include these dedicated web browsers in their ongoing searches for easy to find vulnerabilities.