ICS-CERT Late in Publishing Siemens Advisory

Yesterday the DHS ICS-CERT published an advisory for the Siemens SiPass Server. Siemens published this on their ProductCert web page back on October 10^th, a fact I noted in an earlier blog post about another Siemens product advisory from ICS-CERT. This advisory describes a buffer overflow vulnerability that was reported in a coordinated disclosure by Lucas Apa from IOActive.

According to the ICS-CERT advisory this vulnerability could allow a relatively low-skilled attacker to conduct a DOS attack or potentially execute arbitrary code on the system. Siemens has produced a hot fix (available through customer support) for three versions of the system, older versions should be upgraded. Additional protection can be established by configuring perimeter firewalls to block the affected port.