Tuesday, January 19, 2016

ICS-CERT Publishes Siemens Advisory

This morning the DHS ICS-CERT published an advisory for a cross-site scripting vulnerability in building controller communications modules from Siemens. The vulnerability was reported by Aditya Sood. Siemens has produced a firmware update that mitigates the vulnerability, but there is no indication that Sood has had a chance to verify the efficacy of the fix.

ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability to change data and settings on the target device.

The Siemens Advisory does mention the web server login form as being associated with this vulnerability that the ICS-CERT advisory describes. On the other hand, the ICS-CERT advisory does not mention needing to use a social engineering attack (usually prominently featured in ICS-CERT advisories) to get the user to access a specially crafted web site to exploit the vulnerability that the Siemens Advisory describes. It is almost as if the two advisories are describing different vulnerabilities using the same CVE.

NOTE: The different CVSS base scores is more easily explained because of the different versions of the scoring system used by the two organizations to calculate those scores.

NOTE: Siemens announced this vulnerability on TWITTER® last Friday.

No comments:

/* Use this with templates/template-twocol.html */