Today the DHS ICS-CERT published an update for a Siemens
advisory that was originally published on December 1st, 2015.
Two new advisories were also published for vulnerabilities in control system
components from GE and Sauter.
Siemens Update
This update updates
the vulnerable device list to provide limiting version numbers. It also
announces that firmware updates are now available for SIMATIC TIM 3V-IE, TIM
4R-IE, and CP 443-1 / CP 443-1 Advanced modules. Siemens is still working on
updates for a number of other affected devices. Both of the recent updates to
the Siemens
Security Advisory are covered in today’s update.
As has become usual for ICS-CERT advisory updates, this
updated was not listed on the ICS-CERT landing page, but it was reported
on TWITTER®.
GE Advisory
This advisory
describes twin vulnerabilities in the GE SNMP/Web Interface adapter. The
vulnerabilities were reported by Karn Ganeshen. GE has produced a firmware
update to fix the vulnerability in newer versions. There is no indication that
Ganeshen has been provided an opportunity to verify the efficacy of the fix.
The two reported vulnerabilities are:
• Command injection - CVE-2016-0861; and
•
Cleartext storage of sensitive information - CVE-2016-0862
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit the vulnerability to execute arbitrary system commands.
The GE
Product Security Advisory notes that these adapters are used with
uninterruptable power supplies.
Sauter Advisory
This advisory describes
three vulnerabilities in the Sauter moduWeb Vision application. The
vulnerabilities were reported by Martin Jartelius and John Stock of Outpost24.
Sauter has produced a firmware update to fix the vulnerabilities. ICS-CERT
reports that the researchers have validated the efficacy of the fix.
The vulnerabilities include:
• Insecure credential storage - CVE-2015-7914;
• Insecure transmission of
credentials - CVE-2015-7915; and
• Cross-site scripting -
CVE-2015-7916
Posts
No comments:
Post a Comment