Today the DHS ICS-CERT published five advisories; one an update
of the generic OpenSSL Alert and two new control system HeartBleed advisories,
a security certificate advisory and a good ‘old-fashioned’ SQL Injection
advisory.
Generic OpenSSL
Advisory
Instead of continuing to provide ‘letter’ updates to the
original OpenSSL Alert (last
updated 4-29-14), ICS-CERT upgraded the document to an Advisory. There
is a lot of new information in the new Advisory, including discussions of:
• Impact;
• Background;
• The vulnerability;
• Mitigation overview;
• OpenSSL scanning;
• Detection signatures;
• Specialized search engines;
At first glance it is disappointing that there is not a list
of affected and unaffected systems included in the Advisory the way there was
in the earlier Alert. On closer inspection there is a download link
to a spread sheet that provides that information in much more detail. I would
have preferred something that would have let you know the latest date that the
list had been updated (today’s was last updated 5-15-14).
Two Product Specific
HeartBleed Advisories
The two product specific Advisories are for products from Unified Automation
and Schneider.
The UA advisory contains a link to their
description of the HeartBleed vulnerability. The Schneider advisory notes
that the problem is not actually theirs; it exists in a third party component
(from Tableau Software). As
always this raises the question of what other vendors may be using the
offending application in their products and thus have the same vulnerability.
SQL Injection
This advisory
is for an SQL injection advisory for CSWorks software. The vulnerability was
reported by John Leitch in a coordinated disclosure via the Zero Day Initiative.
CSWorks has produced an updated version that mitigates the vulnerability,
though there is no mention if Leitch has verified the efficacy of the fix.
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit this vulnerability to possibly execute arbitrary code.
The CSWorks
security release for this vulnerability reminds system administrators that
under “no circumstances should administrators give root access to CSWorks”.
Certificate
Vulnerability
This advisory is for a certificate verification vulnerability
in the Siemens RuggedCom Rox devices. This is apparently a self-identified
vulnerability and Siemens is still working on firmware updates for the affected
systems.
ICS-CERT reports that a moderately skilled attacker could
remotely exploit this vulnerability to execute a man-in-the-middle attack.
Pending the production of firmware updates Siemensrecommends the following interim mitigation measures:
• Secure Syslog: Siemens recommends
placing the syslog server inside the trusted
network boundary until a corrected
update is made available.
• Software upgrade: When updating
devices running the affected ROX versions, the
identity of the update server
cannot be ensured. Siemens recommends placing the
upgrade server inside the trusted
network boundary.
• FTPS: Siemens recommends using
SFTP for data transfer until a corrected update is available.
Posts
No comments:
Post a Comment