Today the DHS ICS-CERT published a control-system security advisory for
three vulnerabilities in the EN100 Ethernet module used in the Siemens SIPROTEC
4 and SIPROTEC Compact devices. The vulnerabilities were reported by Kirill
Nesterov and Anatoly Katushin from Kaspersky Lab. Siemens has produced a
firmware update. There is no indication that the researchers have been provided
the opportunity to verify the efficacy of the fix.
The two vulnerabilities are:
• Authentication bypass issues - CVE-2016-7112
and CVE-2016-7114; and
• Resource exhaustion - CVE-2016-7113
ICS-CERT reports that a relatively unskilled attacker could
remotely exploit these vulnerabilities to circumvent authentication and perform
administrative operations. The SiemensCERT advisory
notes that all three vulnerabilities require network access to the device’s web
interface (port 80/tcp).
Posts
No comments:
Post a Comment