ICS-CERT Issues Three Advisories – Two for Siemens

After a three-week breather advisories start coming hot and heavy from ICS-CERT. There are two Siemens’ advisories (one self-reported) and a coordinated disclosure advisory for IOServer.

Siemens Scalance

The first advisory addresses two Siemens’ reported two vulnerabilities in their Scalance W-7xx product family. They are:

• Key management errors, CVE-2013-4651, hard-coded SSL certificate;

• Improper authentication, CVE-2013-4652, network access required.

NOTE: CVE Links may not be active for a couple of days.

ICS-CERT notes that a relatively low skilled attacker could remotely exploit these vulnerabilities to conduct a man-in-the-middle attack or take over complete control of the system. Siemens has produced an update that mitigates the vulnerability (since they self-reported they get to self-validate). The Siemens-CERT advisory also provides a work-around for the second vulnerability.

Siemens WinCC

The second advisory addresses two vulnerabilities reported by Timur Yunusov and Sergey Bobrov of Positive Technologies in a coordinated disclosure. The vulnerabilities are:

• Cross-site request forgery, CVE-2013-4911,

• Url redirection to untrusted site, CVE-2013-4912,

NOTE: CVE Links may not be active for a couple of days.

According to the Siemens-CERT advisory, both vulnerabilities require that a web be activated on the affected devices during set up. The attacker must then use a social engineering attack to get a user to access a malicious web page.

ICS-CERT notes that a moderately skilled attacker could remotely exploit these vulnerabilities to compromise the integrity (execute arbitrary code?) and availability (DoS attack?). Siemens has produced a product update that mitigates the vulnerabilities and has validated the fix (oops, that should have been the researchers, Yunusov and Borov, doing the validation).

IOServer Advisory

The third advisory of the day reports on an improper input validation vulnerability in the IOServer Master Station product reported by Adam Crain of Automatak and Chris Sistrunk in a coordinated disclosure.

ICS-CERT notes that a moderately skilled attacker could remotely exploit this vulnerability to execute a denial of service attack. IOServer has produced a Beta Driver (beta2042.exe) that mitigates these vulnerabilities. There is no indication that the researchers have validated the efficacy of the updated driver. NOTE: an even more recent Beta Driver is available.