Tuesday, January 15, 2013

ICS-CERT Issues Siemens Advisory but Misses Another

Yesterday DHS ICS-CERT published an advisory for the Siemens Simatic RF Manager. The advisory addresses an Active X component buffer overflow vulnerability self-identified by Siemens.

ICS-CERT Advisory

According to the advisory the vulnerability could be remotely exploitable, but would require a social engineering attack to cause an operator to visit a malicious web site using the Simatic RF Manager. A successful exploit could result in the execution of arbitrary code.

Siemens has  produced a patch that is available through customer support.

Missed Siemens Reported Vulnerability

While researching this vulnerability I noticed that it appears that ICS-CERT has not yet reported a separate vulnerability reported by Siemens before Christmas. The Siemens CERT web page provides a link to a Siemens advisory on a denial-of-service vulnerability in the Siemens Simatic S7-1200 PLCs. Siemens reports that it is working on a fix for this problem.

Actually, this self-reported vulnerability would cause a bit of a problem for the ICS-CERT vulnerability reporting system. An ICS-CERT ‘alert’ is issued when there is an uncoordinated disclosure of a vulnerability to provide information while ICS-CERT works with the vendor on mitigating the vulnerability. An ICS-CERT ‘advisory’ is issued when mitigation measures are developed. There isn’t really a specific tool to report these types of self-reported vulnerabilities while mitigation measures are pending.

As more vendors take their security issue self-reporting responsibilities more seriously, this type of situation will become more common. ICS-CERT needs to address the situation.

BTW: Kudos to Siemens for self-reporting the unmitigated vulnerability and acknowledging the efforts of the independent researchers who identified them; Dr. Hartmut Pohl, softScheck GmbH and Arne Vidstrom, Swedish Defence Research Agency.

1 comment:

Anonymous said...

I would tend to agree with your statement regarding Siemens; it has (certainly) taken them a very long time to coming terms esp. that they have been in the news more than once over their product lines, both SIMATIC and RUGGEDCOM. Further, I believe that events such as "Stuxnet" have (hopefully) caused companies, such as Siemens, to re-evaluate their position with their customers through proper and responsible disclosure methods.

/* Use this with templates/template-twocol.html */