This afternoon the DHS ICS-CERT published two new industrial
control system advisories for products from Siemens and Resource Data
Management.
Siemens Advisory
This advisory
describes twin information disclosure vulnerabilities in the Siemens SPIROTEC
Ethernet modules. The vulnerabilities were independently reported by Aleksandr
Bersenev from HackerDom team and Pavel Toporkov from Kaspersky Lab. Siemens has
produced a firmware update to mitigate the vulnerabilities. There is no
indication that either researcher has been provided an opportunity to verify
the efficacy of the fix.
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit these vulnerabilities to obtain sensitive device information
if the attacker has network access to the devices. The Siemens
CERT advisory notes that the firmware update only applies to the SPIROTEC
Compact versions equipped with the EN 100 Ethernet modules. For other models of
the SPIROTEC Compact Siemens recommends protection of the affected networks
with standard cybersecurity protections like firewalls, segmentation, and VPN
access.
Resource Data Management Advisory
This advisory
describes two vulnerabilities in the Resource Data Management Intuitive 650 TDB
Controller. The vulnerability was reported by Maxim Rupp. RDM has produced a
new version of their TDB Control Editor that is used to program their
controllers to mitigate these vulnerabilities. There is no indication that Rupp
has been provided an opportunity to verify the efficacy of the fix.
The two vulnerabilities are:
• Privilege escalation - CVE-2016-4505;
and
• Cross-site request forgery - CVE-2016-4505
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit these vulnerabilities to gain elevated access to alter logs
and parameters or execute unwanted actions.
Posts
No comments:
Post a Comment