Today the DHS ICS-CERT published a new control system
advisory for a Siemens product and provided updates on three separate
HeartBleed related documents.
Siemens
The new Siemens
advisory identifies three vulnerabilities in their SINEMA server. Siemens
self-reported the vulnerabilities and has published a software update to
mitigate the problems. The identified vulnerabilities include:
• Code injection, CVE-2014-2731
(incorrectly listed as CVE-2014-7231);
• Relative path traversal, CVE-2014-2732;
and
• Improper input validation, CVE-2014-2733
According to ICS-CERT a relatively unskilled attacker could
remotely exploit these vulnerabilities to execute arbitrary code, traverse
through the file system, or cause a DoS.
HeartBleed Updates
ICS-CERT updated their HeartBleed
Situational Awareness Alert by adding a list of ICS related products that
have been identified as being specifically affected by the OpenSSL
vulnerability. Only two vendors currently have products on the list, Innonminate
and Siemens.
The Innominate
HeartBleed Advisory was also updated. The Phoenix Contact branded versions
of the Innominate devices is not affected by the HeartBleed vulnerability, but
Innominate has upgraded them to the latest version to alleviate customer
concerns. Only the 8.0.0 and 8.0.1 versions of the mGuard firmware are affected
by the vulnerability
ICS-CERT has also provided a link to the latest
FBI list of Snort Signatures that may be used to detect attempted
exploitation of the HeartBleed vulnerability.
Posts
No comments:
Post a Comment