Some weeks it seems that everyday there is a new set of
advisories from DHS ICS-CERT; this is one of those weeks. Today ICS-CERT
published advisories for Siemens WinCC and the Morpho Itemizer. Oh, and they
missed listing the Morpho advisory on both the landing page and the Advisories
page; they did tweet about it though. When you get busy, mistakes happen unless
you have good administrative controls in place.
Siemens Advisory
This advisory is based upon coordinated disclosures from an
anonymous researcher and a separate report from Sergey Gordeychik, Alexander
Tlyapov, Dmitry Nagibin, and Gleb Gritsai of Positive Technologies. Siemens has
prepared an update that is reported to mitigate the multiple vulnerabilities,
but there is no indication that the researchers have had a chance to verify the
efficacy of the fix.
The vulnerabilities include:
• Forced browsing - CVE-2014-4682
– could allow unauthenticated access to data;
• Session fixation - CVE-2014-4683
– could allow remote privilege escalation;
• Improper privilege management - CVE-2014-4684
– could allow database privilege escalation;
• Permissions, privileges and
access control - CVE-2014-4685
– could allow local user to escalate their privileges; and
• Hard-coded cryptographic key - CVE-2014-4686
– cold allow privilege escalation.
ICS-CERT reports that a low-to-moderately skilled attacker
could remotely (except CVE-2014-4685) exploit these vulnerabilities. Siemens
reports that they have produced an update that mitigates the
vulnerabilities in WinCC and expect an update for Simatic PCS7 next month. In
addition they suggest the following actions be taken until a hard fix can be
established:
• Limit the WebNavigator server
access to trusted networks/clients only
• Ensure that the WebNavigator
clients authenticate themselves against the WebNavigator server (e.g. use
client certificates)
• Restrict access to the WinCC
database server at port 1433/tcp to trusted entities
• Deactivate all unnecessary OS
users on WinCC server
• Run WinCC server and engineering
stations within a trusted network, or
• Ensure that the WinCC server and
the engineering stations communicate via encrypted channels only (e.g.
establish a VPN tunnel).
Morpho Advisory
This advisory looks
at a single hard-coded-credential vulnerability reported by Billy Rios and
Terry McCorkle. ICS-CERT reports that: “Morpho has decided not to address this
vulnerability at this time.” Since the
Itemizer® 3 is not strictly speaking an industrial control system (it’s an
analytical system controller) it could look like this is no big thing. It could,
however, have an effect on police investigations that would rely on these
pieces of equipment to identify drug and explosives trace evidence. A cyber
savvy defense attorney could use this uncorrected vulnerability to cause a
judge to question the validity of test data from this machine and potentially
reverse a drug or explosives conviction or the use of the evidence in court.
ICS-CERT reports that a relatively low-skilled attacker
could remotely exploit this vulnerability to gain administrative access to the
system. Not much you can’t do once you have that access.
Posts
No comments:
Post a Comment