ICS-CERT Publishes Schneider Advisory – Misses (again) Siemens Update

This afternoon the DHS ICS-CERT published a new advisory for five command injection vulnerabilities reported by Schneider last week and missed the latest BlackEnergy Siemens update for PCS 7.

Schneider Advisory

This advisory describes the five vulnerabilities reported by researchers Ariele Caltabiano, Andrea Micalizzi, and Brian Gorenc via ZDI in Schneider Electric’s ProClima software package. The ActiveX vulnerabilities are:

• MDraw30.ocx control, 3 vulnerabilities: CVE-2014-8513, CVE-2014-8514, and CVE-2014-9188;

• Atx45.ocx control , 2 vulnerabilities: CVE-2014-8511 and CVE-2014-8512.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to induce a buffer overflow situation that could allow for remote code execution. The link to Schneider advisory is currently reporting ‘http status 404’.

ICS-CERT reports that Schneider has produced an update that mitigates the vulnerabilities. The do not say that the researchers have verified the efficacy of the fix.

Siemens Update

This morning Siemens ProductCert tweeted that they had just updated their WinCC/PCS 7 advisory that ICS-CERT had previously linked with some of the BlackEnergy attacks.  Siemens reported that they had produced an update for PCS 7 V7.1 SP4. This only leaves WinCC V7.0 SP3 without a fix in place. Siemens is working on that and will further update their advisory when that becomes available. ICS-CERT will presumably get around to updating their advisory.