This evening the DHS ICS-CERT published an advisory for 9
separate vulnerabilities in the Siemens S7-1500 CPU firmware. The vulnerabilities were identified
by Siemens and a variety of researchers from Positive Technologies. Siemens has
produced a firmware update that mitigates the vulnerabilities.
The vulnerabilities include:
• Cross-site request forgery, CVE-2014-2249;
• Cross-site scripting, CVE-2014-2246;
• Improper neutralization of
script-related html tags in a web page, CVE-2014-2247;
• Insufficient entropy, CVE-2014-2251;
• Url redirection to untrusted site,
CVE-2014-2248;
• Improper resource shutdown or
release, CVE-2014-2259;
• Improper resource shutdown or
release, CVE-2014-2253;
• Mproper resource shutdown or
release, CVE-2014-2255;
and
• Improper resource shutdown or
release, CVE-2014-2257;
NOTE: The CVE links will be active
in a few days.
ICS-CERT reports that these vulnerabilities can be remotely
exploited (some only with specific user actions) by a moderately skilled
attacker to executed a variety of DoS attacks. The Siemens ProductCERT
advisory provides a little more detail on the access required; noting that:
• For vulnerability 1, 2, 3 and 5
the attacker must trick users of the devices to open malicious web pages. Usage
of modern browsers may reduce the probability of successful exploitation.
• For vulnerability 7 the attacker
must have access to the local Ethernet segment.
• All other vulnerabilities require
network access to the port.
I noted in the title that this advisory is late. Siemens
published their advisory on Wednesday morning CDT. They also pushed the
information via a TWEET®. It is a tad bit embarrassing to have to report 9
vulnerabilities in a product that has been touted as an example of the new
security engineering standards of Siemens; but they sucked it up and did it in
a proactive and very public way.
Posts
No comments:
Post a Comment