ICS-CERT Publishes a Siemens Advisory and Update

Today the DHS ICS-CERT published a new control system security advisory and updated another; both of those were for products from Siemens.

Siemens Advisory

This advisory describes two vulnerabilities in the Siemens RUGGEDCOM NMS monitoring products. It appears that these vulnerabilities are self-reported by Siemens. Siemens has produced a new version that mitigates the vulnerabilities.

The two vulnerabilities are:

• Cross-site request forgery - CVE-2017-2682; and

• Cross-site scripting - CVE-2017-2683

ICS-CERT reports that a relatively low skilled attacker could remotely export these vulnerabilities to perform administrative operations under certain conditions.

Siemens Update

This update address changes to an advisory that was originally published on April 12^th, 2016. The new information includes:

• Updated version information for SCALANCE X200 IRT family; and

• Provides link to a new version for SCALANCE X200 IRT family.

NOTE: These were the two (oops, not three; the other was from the 13^th and already reported by ICS-CERT) advisories that I mentioned last week the day after Siemens announced their notifications on TWITTER® on February 22^nd.