Tuesday, September 29, 2015

ICS-CERT Publishes Siemens Update and Three New Advisories

Today the DHS ICS-CERT published a fifth update to a Siemens advisory originally published in April and most recently updated earlier in September. New advisories were also printed for control system products from Baxter, Mitsubishi and Honeywell.

Siemens Update

This update reports that Siemens has produced a new version of SIMATIC S7 V8.0 SP2 that mitigates the vulnerability. The updated Siemens security advisory explains that user will actually be using the update for SIMATIC WinCC V7.2 Upd11 to update the SIMATIC S7 V8.0 SP2.

Note: There is a minor typo on the ICS-CERT updated advisory. Before the red marked update there is an ‘extra’ listing for SIMATIC S7 V8.0 SP2 with an incorrect link.

Baxter Advisory

This advisory describes four vulnerabilities in the Baxter SIGMA Spectrum Infusion System. The vulnerabilities were reported by Jared Bird with Allina IS Security. Baxter has produced a new hardware and software versions which remove three of the four vulnerabilities. There is no indication that Bird has been provided the opportunity to verify the efficacy of the fix. This advisory was originally released to the US-CERT Secure Portal on June 30th, 2015.

The four identified vulnerabilities are:

• Use of hardcoded password, CVE-2014-5431 and CVE-2014-5434;
• Authentication bypass issues, CVE-2014-5432; and
• Cleartext storage of sensitive information, CVE-2014-543;

The uncorrected vulnerability is the hardcoded password that can only be accessed manually. The three other vulnerabilities are remotely exploitable by a relatively unskilled attacker.

There is no indication in this advisory that the FDA has been contacted, or if it has been contacted that it has issued an advisory on this device.

Mitsubishi Advisory

This advisory describes a denial-of-service vulnerability in the Mitsubishi MELSEC FX-series PLCs. The vulnerability was reported by Ralf Spenneberg of OpenSource Security. A new version of the PLC’s has been developed that does not have this vulnerability. There is no indication that Spennenberg has been provided an opportunity to verify the efficacy of the fix. This vulnerability was released on the US-CERT Secure Portal on May 26th, 2015.

ICS-CERT reports that moderately skilled attacker could remotely exploit this vulnerability to execute a DOS attack that would require re-booting of the PLC to recover.

ICS-CERT reports that older versions of the PLC (produced before April 2015) have not been fixed because Mitsubishi “cannot guarantee the quality of new firmware in old hardware”.

Honeywell Advisory

This advisory describes a directory traversal vulnerability in the Honeywell Experion PKS application. The vulnerability was reported by Joel Langill. Honeywell has patches for newer versions of Experion PKS that apparently (poor wording in the advisory) mitigate the vulnerability. There is no indication that Joel has been provided the opportunity to verify the efficacy of the patches.

ICS-CERT reports that a relatively low skilled could use publicly available exploits to remotely exploit this vulnerability to gain access to the host’s root directory.

ICS-CERT has assigned a 2007 CVE # to this vulnerability (CVE-2007-6483) that links to a similar directory traversal vulnerability in the Sentinel Protection Server. The BUGTRAQ report on that earlier vulnerability may be the source of the ‘publicly available exploit’.


NOTE: There is a typo in the Vulnerability Details portion of the advisory. Under ‘Existence of Exploit’ is lists: “An attacker with a low skill would be able to exploit this vulnerability.” The availability of a public exploit was reported earlier in the advisory.

No comments:

 
/* Use this with templates/template-twocol.html */