This afternoon the DHS ICS-CERT updated three advisories for
vulnerabilities in systems from Yokogawa, Emerson and Siemens. They also
published a new Crain-Sistrunk advisory for a vulnerability in the DNP Master
Driver from Elipse.
Yokogawa Update
ICS-CERT reports that
Yokogawa has provided software patches for the affected systems. There is also
a change in the name of some of the affected systems, though the version
numbers remain the same. Interestingly, Yokogawa has not updated their report
on this vulnerability so we don’t know if they made their ‘end of September’
start date for issuing these patches.
BTW: Yokogawa has a new control system vulnerability
report posted to their web site as of last Friday for their FAST/TOOLS
software.
Emerson Update
This update adds
a new vulnerability to those listed on the original version. The new
vulnerability is an authentication bypass by capture replay vulnerability that
could allow for arbitrary code execution and is also remotely exploitable.
ICS-CERT also reports that in addition to the patch
previously mentioned Emerson now also recommends deploying “the [Moxa] EDR-810
[secure router] between the host and the field device it is virtually
impossible for an attacker to eavesdrop on communications or falsify commands”.
BTW: ICS-CERT is also careful the change the description of
the four researchers that reported the vulnerability and verified the efficacy
of the patch so that description now indicates that they are ‘formally of
Cimation’; I think they may mean ‘formerly’.
Siemens Update
I suspect that this update of last week’s
advisory reporting that Siemens has added a new update for one of the
previously un-mitigated applications. Unfortunately clicking on the provide
link for this update returns a Chrome notice that “This webpage has a redirect
loop” or an Internet Explorer notice that “This webpage cannot be displayed” as
of 9:45 pm CST. In any case you can find the information on the Siemens ProductCERT
advisory. This is the update that I tweeted about
last Friday. NOTE: As of 1:00 pm CST 12-03-14 the Siemens advisory link is working.
Elipse Advisory
This advisory
describes a resource exhaustion vulnerability in the DNP Master Driver in
various control system products from Elipse. The vulnerabity was reported by
the venerable team (make them feel older than they actually are I will) of
Crain-Sistrunk and their trusty Aegis
fuzzer. By my count of their reporting (they aren’t keeping their public
count too up to date, probably busy finding other vulnerabilities) this should
be #27 of 30 DNP vulnerabilities that they have identified. ICS-CERT had
previously released this to the US-CERT Secure Portal on October 30th
(as I cryptically
reported last month).
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit this vulnerability to cause short term (30 seconds in
people time) system unavailability. ICS-CERT reports that Elipse has produced a
new version of their DNP driver that mitigates this vulnerability but they do
not mention if Crain-Sistrunk have verified the efficacy of that fix.
Posts
No comments:
Post a Comment