Tuesday, November 29, 2016

ICS-CERT Publishes 3 Emerson Advisories

Today the DHS ICS-CERT published three control system security advisories for three products from Emerson. I’m also reporting an update for a previously published advisory for a product from Schneider; the update was published last week.

DeltaV Wireless I/O Card Advisory

This advisory describes an open SSH port vulnerability in the Emerson DeltaV Wireless I/O Card. The vulnerability is apparently self-reported. Emerson has produced a firmware update to mitigate the vulnerability.

ICS-CERT reports that it would be difficult to develop a working exploit of this vulnerability, but it could be remotely exploited to access the file system of devices using the affected product.

DeltaV Easy Security Management Advisory

This advisory describes an improper privilege management vulnerability in the Emerson DeltaV Easy Security Management application. Apparently, this is a self-reported vulnerability. Emerson is discontinuing support for this application.

ICS-CERT reports that local network access is required to exploit this vulnerability, but that constructing an exploit would be difficult. A successful exploit would allow an attacker to elevate privileges within a DeltaV control system.

Liebert SiteScan Advisory

This advisory describes an XML external entity vulnerability in the Emerson Liebert SiteScan application. The vulnerability was reported by Evgeny Ermakov from Positive Technologies. Emerson has produced patches to mitigate the vulnerability.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability, which may lead to the disclosure of confidential data, denial of service (DoS), server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

Schneider Update

This update provides additional information about what versions affected by these vulnerabilities require a re-boot to recover from the denial of service. It also provides a link to the Schneider security notice that I mentioned.

BTW: Last Friday Siemens Tweeted about a new advisory and an update of another advisory. I had been expecting those to be reported by ICS-CERT today. Because of the holiday I did not notice them until yesterday.

No comments:

/* Use this with templates/template-twocol.html */