Wednesday, May 17, 2017

ICS-CERT Updates WannaCry Alert and Publishes 4 Advisories

Yesterday the DHS ICS-CERT updated their earlier alert on the WannaCry ransomware. They also published four control system security advisories for products from Schneider Electric (2), Hanwha Techwin, and Detcon.

WannaCry Update


This update provides additional information on the alert that was issued yesterday. The new information includes:

• Links to two new vendor advisories from ABB and Siemens; and
• Links to some generic information (here and here) from the FDA on medical device security.

Siemens makes an important point about medical device cybersecurity:

“We would like to point out that neither the use of an email client nor browsing the internet is part of the intended use of most of the product types covered by this Siemens Security Bulletin.”

The ABB document does mention restricting SMB protocol use but stops short of recommending disabling the protocol as suggested by Microsoft. They do note:

“This will help to prevent spreading of the WannaCry malware from individual compromised computers. For specific guidance please see additional communication for specific ABB solutions and contact your local ABB service organization.”

NOTE: The US-CERT also updated their alert for this malware.

Schneider VAMPSET Advisory


This advisory describes an improper input validation vulnerability in the Schneider VAMPSET tool. The vulnerability was reported by Kushal Arvind Shah from Fortinet's Fortiguard Labs. Schneider has produced a new firmware version to mitigate the vulnerability. There is no indication that Shah has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker with local access could exploit the vulnerability to cause the software to enter a denial-of-service condition. The Schneider Security Notification reports that vulnerability has no effect on the operation of the protection relay to
which VAMPSET is connected.

Techwin Advisory


This advisory describes an improper access control vulnerability in the Hanwha Techwin SRN-4000 network video management platform. The vulnerability was reported by Can Demirel and Faruk Unal of Biznet Bilisim. Techwin reports that a newer version mitigates the vulnerability. ICS-CERT reports that the researchers have verified the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to allow the attacker remote access to the web management portal with admin privileges without authentication.

Schneider SoMachine Advisory

This advisory describes two vulnerabilities in the Schneider SoMachine HVAC software. The vulnerabilities were separately reported by Zhou YU and Himanshu Mehta. Schneider reports that a newer version mitigates the vulnerability. There is no indication that either researcher has been provided the opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2017-7965; and
• Uncontrolled search path element - CVE-2017-7966

ICS-CERT reports that a relatively unskilled attacker (no access characterization) could exploit the vulnerability to allow arbitrary code execution and could cause the device that the attacker is accessing to crash due to a buffer overflow condition.

NOTE: The Schneider Security Notification only addresses the buffer overflow vulnerability.

Detcon Advisory


This advisory describes two vulnerabilities in the Detcon SiteWatch Gateway. The vulnerabilities were reported by Maxim Rupp. ICS-CERT reports that Detcon no longer owns or services the SiteWatch Gateway product, but it attempting to notify customers of the vulnerabilities.

The two reported vulnerabilities are:

• Improper authentication - CVE-2017-6049; and
• Plaintext storage of passwords - CVE-2017-6047


ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to allow remote code execution. An attacker who exploits these vulnerabilities may be able to change settings on the affected product or obtain user passwords.

No comments:

 
/* Use this with templates/template-twocol.html */