This afternoon the DHS ICS-CERT published two new
advisories reporting multiple vulnerabilities in systems from Schneider
Electric and Siemens.
Schneider
Advisory
This advisory
reports on two vulnerabilities reported in in Schneider Electric’s ETG3000
FactoryCast HMI Gateway by Narendra Shinde of Qualys Security. Schneider has
produced a firmware update that mitigates the vulnerabilities. There is no
indication in the advisory that Shinde was allowed to validate the efficacy of
the update.
The two reported vulnerabilities were:
● Unauthenticated
access - CVE-2014-9197;
and
● FTP hardcoded
credentials - CVE-2014-9198
ICS-CERT reports that a relatively low skilled
attacker could remotely exploit these vulnerabilities to access to the HMI
Gateway. ISC-CERT also reports that Shinde reported that default credentials
also allow access to configuration files, but this is not counted as a ‘vulnerability’.
The advisory also reports that the firmware update
does not actually change the FTP credentials; it merely disables the FTP. The
Schneider ‘readme’
document accompanying the firmware updated download explains what functions
are lost when the FTP is disabled. Schneider also notes that upon an ETG reboot
the FTP is automatically re-enabled.
Siemens
Advisory
This advisory
reports twin denial of service vulnerabilities in the SCALANCE X-300/X408
switch family. The vulnerabilities were reported by Déjà vu Security. Siemens
has produced a firmware update that mitigates the vulnerabilities but there is
no indication that Déjà vu Security has had the opportunity to verify the
efficacy of the fix.
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit these vulnerabilities to execute a denial of service
attack. Siemens
reports that both vulnerabilities require network access and one of the
vulnerabilities requires the attacker be able to sign in to the FTP server.
Missed
Siemens Advisory
Readers who follow me on TWITTER® (@pjcoyle) know
that yesterday when Siemens reported their SCALANCE vulnerability they also reported
on their NTP vulnerability in their RuggedCom devices. This is the set of
vulnerabilities reported
by ICS-CERT back in December. Siemens reports that their ROX based devices
may be affected by those vulnerabilities.
They report that they are working on updates for the
affected products. Their current advisory does provide some interim mitigation
measures that system owners can take while waiting for the updates to be made
available.
I suspect that the reason that ICS-CERT did not
report this particular Siemens vulnerability is that the original NTP Advisory ‘addressed
the problem’. Unfortunately it looks like Siemens (and perhaps other vendors) may
have to take additional actions to protect their systems beyond that
recommended in the NTP Advisory.
No comments:
Post a Comment