ICS-CERT Publishes 4 Advisories – Three for Siemens

This afternoon the DHS ICS-CERT published four new advisories for control system security issues. Three of the advisories were for products from Siemens (RuggedCom, Smart Client and Siprotec) and the other was for another Hospira infusion pump.

Hospira Advisory

This advisory reports that a new unnamed vulnerability found in the Symbiq Infusion System, in conjunction with previously reported vulnerabilities reported in the Hospira infusion pump line of products allow the product to be “remotely directed to perform unanticipated operations”. Billy Rios originally reported the vulnerability. Hospira has developed operational mitigation measures to stop a remote exploit of this vulnerability.

ICS- CERT reports that: “As previously announced by Hospira in 2013, the Symbiq Infusion System would be retired on May 31, 2015, and will be fully removed from the market by December 2015.” This advisory was originally released to the US-CERT Secure Portal on June 23^rd. This is probably the advisory that I reported hearing rumors about earlier this month.

ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability.

The operational mitigation measures include:

∙ “Disconnect the affected product from the network. Disconnecting the affected product from the network will have operational impacts. Disconnecting the device will require drug libraries to be updated manually. Manual updates to each pump can be labor intensive and prone to entry error.

∙ “Ensure that unused ports are closed, to include Port 20/FTP and Port 23/TELNET.

∙ “Hospira strongly recommends that healthcare providers contact Hospira’s technical support to change the default password used to access Port 8443 or to close Port 8443. Contact Hospira’s technical support at 1-800-241-4002. Hospira is working directly with Symbiq customers to update the configuration of the pump to close access ports.”

Commentary – Disconnect the pumps from the network? We know that is not a fail safe action. Besides how many of the technicians and nurses have experience updating the drug libraries manually? In my opinion (if anyone didn’t already suspect) Hospira/FDA/Owners should have already pulled these devices from use. I see law suits in the future.

Siemens RuggedCom Advisory

This advisory describes a TLS POODLE vulnerability in Siemens RuggedCom ROS and ROX-based devices. This is apparently a self-identified vulnerability. Siemens has developed a firmware update for this vulnerability.

ICS-CERT reports that a social engineering attack would be required to exploit this vulnerability.

The Siemens Advisory notes that the current firmware update is just for the ROS based devices and that work is continuing on the ROX based device update.

Siemens Sm@rt Client Advisory

This advisory describes a password storage vulnerability in the Siemens Sm@rtClient Android application. The vulnerability was reported by Karsten Sohr from Universität Bremen and Stephan Huber from Fraunhofer SIT. Siemens has produces a new version of the application that mitigates the vulnerability. There is no indication that the researchers have been given the opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker with local access to the mobile device could obtain the password. This could allow a successful attacker remote mobile operation and observation of SIMATIC HMI systems.

Siemens SIPROTEC Advisory

This advisory describes a denial of service vulnerability in SIPROTEC 4 and SIPROTEC Compact devices. The vulnerability was reported by Victor Nikitin from i‑Grids LLC. Siemens has produced a firmware update to mitigate the vulnerability, but there is no indication that Nikitin has been given the opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to effect a denial of service attack and a manual re-boot is required to return the device to service.

There is a minor discrepancy in the description of the affected devices. ICS-CERT reports the affected devices as:

∙ “SIPROTEC 4 and SIPROTEC Compact product families

∙ “All devices that include the EN100 Ethernet module version V4.24 or prior”

The Siemens Advisory, on the other hand, describes the affected devices this way:

“SIPROTEC 4 and SIPROTEC Compact product families: All devices where the Ethernet module EN100 with version V4.24 or lower is included.”

I am pretty sure, however, that owners of these devices would pretty quickly figure out that the ICS-CERT verbiage is meant to describe what Siemens reported.