ICS-CERT Updates Two Advisories

This afternoon the DHS ICS-CERT updated two previously issued advisories, one for Sielco Sistemi Winlog and the other for Siemens RuggedCom.

Sielco Sistemi Update

The original advisory (NOTE: the links in that post take you to the new advisory, fortunately, I keep copies) used the same CVE information (CVE-2012-3815) for all five listed vulnerabilities. Now, almost two years later, ICS-CERT is providing the correct information along with listing two new vulnerabilities. It also updates (unremarked in the Overview section) the list of discovers, adding Carlos Mario Penagos of IOActive, and adds that Luigi helped validate the efficacy of the update in correcting the vulnerabilities.

It would be interesting to know who called them on these errors. In any case the correct information is provided below:

• Failure to constrain operations with the bounds of memory, CVE-2012-3815;

• Improper access control, CVE-2012-4353;

• Improper access of indexable resource, CVE-2012-4354, and CVE-2012-4355;

• Directory Traversal (NEW), CVE-2012-4356; and

• Write-what-where condition, CVE-2012-4358, and (NEW) CVE-2012-4359.

Siemens Update

The second update comes from an advisory issued last month. It corrects the description of the uncontrolled resource consumption vulnerability and revises downward the CVSS v2 base score from 5.4 to 2.6.

The original advisory noted that:

“Switching functionality is lost by a successful attack and all management services of the devices will be unresponsive.”

The new one reports:

“Switching functionality is not affected and special and uncommon conditions must be fulfilled to perform this attack.”

This information was corrected in the Siemens ProductCERT advisory on March 11^th.