ICS-CERT Publishes One Update and Seven Advisories

Today the DHS ICS-CERT published an update for a control system security advisory for a product from Siemens originally published in August. It also published seven new control system security advisories for products from:

• Kabona;

• Fatek Automation;

• Moxa;

• Rockwell;

• Siemens; and

• OSIsoft

Siemens Update

This update provides additional information on the affected versions of the Siemens SINEMA Server and provides a link to a new version of the affected software. Siemens published a new version of their Security Advisory on Wednesday.

Kabona Advisory

This advisory describes multiple vulnerabilities in the Kabona AB WebDatorCentral (WDC) application. The vulnerabilities were reported by Martin Jartelius and John Stock of Outpost 24. Kabona has produced an update to mitigate the vulnerabilities. ICS-CERT reports that Jartelius has verified the efficacy of the fix.

The vulnerabilities include:

• Cross-site scripting - CVE-2016-8356;

• Open redirect - CVE-2016-8376; and

• Improper restriction of excessive authentication attempts - CVE-2016-8347

ICS-CERT reports that it would be relatively easy to craft and exploit, but a social engineering attack would be required to remotely exploit these vulnerabilities to obtain data from the web server application and redirect users to other potentially malicious pages.

Fatek Automation Advisory

This advisory describes multiple vulnerabilities in the Fatek Automation PM and FV Designer applications. The vulnerabilities were reported by Ariele Caltabiano (kimiya) through the Zero Day Initiative (ZDI). ICS-CERT notes that Fatek has not published an update and that ZDI has already published their 0-day notice on the vulnerabilities (ON SEPTEMBER 21^st) after coordination with ICS-CERT.

The vulnerabilities include:

• Improper restriction of operations within the bounds of a memory buffer - CVE-2016-5796;

• Stack-based buffer overflow - CVE-2016-5798; and

• Buffer overflow - CVE-2016-5798 (No I didn’t copy this wrong, the same CVE number is used twice in the Advisory)

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to perform a number of malicious actions including denial of service and arbitrary code execution.

Moxa Advisory

This advisory describes multiple vulnerabilities in the Moxa ioLogik E1200 series applications. The vulnerabilities were reported by Alexandru Ariciu of Applied Risk. Moxa has produced a new version of the firmware that mitigates the vulnerabilities. ICS-CERT reports that Ariciu has verified the efficacy of the fix.

The vulnerabilities include:

• Cross-site scripting - CVE-2016-8359;

• Insufficiently protected credentials - CVE-2016-8372;

• Weak password requirements - CVE-2016-8379; and

• Cross-site request forgery - CVE-2016-8350

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to remotely execute arbitrary code, modify parameters and settings, or reset the device.

Rockwell Advisory

This advisory describes multiple vulnerabilities in the Rockwell Automation Allen-Bradley Stratix industrial switches. These vulnerabilities are self-reported and are based upon the recently reported Cisco IOS and IOS XE vulnerabilities. Rockwell has produced a new version to mitigate these vulnerabilities.

The vulnerabilities include:

• Information exposure through error message - CVE-2016-6393;

• Improper input validation - CVE-2016-6382 and CVE-2016-6385; and

• Protection mechanism failure - CVE-2016-6380.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to affect the availability of the affected products via memory exhaustion, module restart, information corruption, or information exposure.

NOTE: As usual when a vulnerability is based upon problems with third party software, I have to wonder what other vendor products might be using the same software and thus have the same problem.

Siemens SIMATIC Advisory

This advisory describes twin vulnerabilities in the Siemens SIMATIC STEP 7 (TIA Portal). The vulnerabilities were reported by Dmitry Sklyarov and Gleb Gritsai from Positive Technologies. Siemens has produced a new version to mitigate these vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The vulnerabilities include:

• Inadequate encryption strength - CVE-2016-7959; and

• Cryptographic issues - CVE-2016-7960

ICS-CERT reports that it would be difficult to craft a working exploit for these vulnerabilities and it would require local access to the systems. An exploit would allow an attacker to access sensitive information contained in TIA Portal project files.

Siemens Advisory

This advisory describes multiple vulnerabilities in the Siemens Automation License Manager (ALM). The vulnerabilities were reported by Sergey Temnikov and Vladimir Dashchenko from Kaspersky Lab. Siemens has produced a new version to mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The vulnerabilities include:

• Resource exhaustion - CVE-2016-8563;

• SQL injection - CVE-2016-8564; and

• Path traversal - CVE-2016-8565

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to upload files, change configuration settings, or create a denial-of-service condition. The Siemens Security Advisory reports that a successful exploit would allow an attacker to obtain write access to the hard disk.

OSIsoft Advisory

This advisory describes a permission vulnerability in the OSIsoft PI Web API. The vulnerability is self-reported by OSIsoft, though the OSIsoft Security Advisory notes that the problem was reported by a customer. OSIsoft has produced a new version to mitigate the vulnerability.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to view or alter PI System data.