ICS-CERT Updates Two Advisories – Ignores Siemens GNU Bash Report

This afternoon the DHS ICS-CERT updated two earlier advisories, one from Siemens and one from Schneider. Interestingly they ignore the unique Siemens ProductCERT report on GNU Bash vulnerabilities in Siemens products.

Siemens Update

This advisory was originally published back in July. Since then Siemens has provided a new update for the still vulnerable SIMATIC PCS7. The original advisory was published with only a SIMATIC WinCC update available.

Schneider Update

This advisory was originally published almost three weeks ago. Since then Schneider has made the promised service packs available to correct the vulnerabilities:

• ClearSCADA 2010 R3.2, Released October 2014, and

• SCADA Expert ClearSCADA 2014 R1.1, Released October 2014.

Siemens GNU Bash Report

ICS-CERT has not yet published an advisory for the recently self-reported ProductCERT advisory for separate vulnerabilities related to the GNU Bash problem. Siemens tweeted about this advisory yesterday morning.

The advisory reports specific vulnerabilities in the DHCP client (ROX 1 and ROX 2 products) and the web interface of their ELAN system (APE Linux); nothing especially new here.

The interesting report here is the mention of a ‘generic Bash’ vulnerability in a number of listed products, but only after “major custom modifications by the user (such as installation of additional software or custom scripts)”. The public identification of a post-modification vulnerability marks a real commitment to customer support.