This morning the DHS ICS-CERT published two new control
system security advisories for systems from Siemens and Tollgrade.
Siemens Advisory
This advisory
describes two vulnerabilities in the Siemens SIMATIC S7-1500 CPU family. The
vulnerabilities were self-reported and Siemens has produced firmware upgrades
to mitigate the vulnerabilities.
The two vulnerabilities are:
• Insufficient control flow
management - CVE-2016-2200; and
• Predictability problems - CVE-2016-2201
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit these vulnerabilities to conduct a denial of service
attack or reduce the replay protection efficiency of the device.
Siemens, in their Security
Advisory, credit Lexfo and Amossys for reporting the respective vulnerabilities
that were coordinated through Agence nationale de la sécurité des systèmes
d’information (ANSSI).
Tollgrade Advisory
This advisory
describes four vulnerabilities reported in the Tollgrade Communications, Inc.
SmartGrid LightHouse Sensor Management System (SMS) Software EMS. The
vulnerabilities were reported by Maxim Rupp. Tollgrade has produced a software
upgrade which mitigates the vulnerabilities and Rupp has had an opportunity to
verify the efficacy of the upgrade.
The vulnerabilities include:
• Cross-site request forgery - CVE-2016-0863;
• Disclosure of information -
CVE-2016-0864;
• Insecure credentials - CVE-2016-0865;
and
• Cross-site scripting - CVE-2016-0866
ICS-CERT reports that these vulnerabilities could be
remotely exploited, but notes that a successful social engineering attack would
be required.
Posts
No comments:
Post a Comment