ICS-CERT Publishes 3 Advisories and an Update

Today the DHS ICS-CERT published an update of a Siemens advisory from last year, two new Siemens advisories and an advisory for Yokogawa. Siemens also updated their GNU Bash advisory but that did not necessitate an update of the ICS-CERT supplement for that vulnerability.

Siemens Update

As I predicted ICS-CERT had to issue update ‘G’ to their Siemens OpenSSL Advisory. They did me one better though. They waited until Siemens published the notice of the availability of the update for APE V2.0.2 and ROX V2.6.0 with ELAN before they updated the advisory. This should effectively close out this set of vulnerabilities.

Yokogawa Advisory

This advisory concerns the HART DTM vulnerability for Yokogawa devices that use the CodeWrights  DTM library. The language in this advisory is the same as that found in the latest CodeWrights advisory. The only odd thing about this advisory is that Yokogawa was not listed as a CodeWrights customer on that earlier advisory. I wonder how many other vendors will also turn out to be affected.

Note: Both the Yokogawa advisory and the JP CERT advisory referenced in the ICS-CERT document are in Japanese. I would have thought that Yokogawa would have produced an English language version for the US market.

Siemens WinCC TIA Portal Advisory

This advisory describes twin authentication vulnerabilities in the Siemens WinCC TIA Portal. The vulnerabilities were originally reported by Gleb Gritsai, Roman Ilin, Aleksandr Tlyapov, and Sergey Gordeychik from Positive Technologies. Siemens has produced a new service pack that mitigates these vulnerabilities, but there is no indication that the researchers were given the opportunity to verify the efficacy of the fix.

The two vulnerabilities are:

● Insufficiently protected credentials - CVE-2015-1358; and

● Hard coded cryptographic key - CVE-2014-4686 (NOTE: This same vulnerability was reported by the same researchers in Siemens WinCC last July)

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to reconstruct passwords or escalate privileges on the network. Siemens notes that an exploit of the first vulnerability requires capturing network traffic of the remote management module.

Siemens WinCC Step 7 TIA Portal Advisory

This advisory describes twin authentication vulnerabilities in the WinCC Step 7 TIA Portal. The vulnerabilities were reported by Aleksandr Timorin from Positive Technologies. Siemens has produced a service pack that mitigates the vulnerabilities but there is no indication that Timorin has been given the opportunity to verify the efficacy of the fix.

The vulnerabilities are:

● Weak password hashing - CVE-2015-1355; and

● Permissions, privileges and access control - CVE-2015-1356

ICS-CERT reports that an exploit would require a social engineering attack that could result in remote exploitation of this vulnerability to reconstruct passwords or gain permission to access the system.  Siemens notes that the second vulnerability requires local access to the TIA project file.