Today the DHS ICS-CERT published an alert
concerning two vulnerabilities in the Siemens Scalence switch family. Siemens ProductCERT
self-reported these two vulnerabilities. The vulnerabilities are:
• Privilege escalation
vulnerability - CVE-2013-3633;
and
• Input validation vulnerability - CVE-2013-3634
NOTE: Since these vulnerabilities were reported to the US-CERT
National Vulnerability Database last Friday the CVE links above are already
active. The long weekend is the apparent reason for the delay in the ICS-CERT
Advisory.
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit these vulnerabilities to execute arbitrary commands or execute
a denial of service attack. Siemens notes that the attacker must have network
access to exploit both vulnerabilities and specific device access for the
second.
The advisory notes that Siemens has provided a firmware
update for the affected devices that mitigates both vulnerabilities. Siemens
also notes (pg 2 of Siemens Advisory) that for the second vulnerability there
is an additional workaround available to mitigate the vulnerability; the device
owner can “either disable SNMP or to completely disable any read-write access”.
Posts
No comments:
Post a Comment