Tuesday, June 13, 2017

ICS-CERT Publishes 3 Advisories

Today the DHS ICS-CERT published three control system security advisories for products from Trihedral and OSIsoft. ICS-CERT continues to have problems with Siemens security advisories and updates.

PI Web API Advisory

This advisory describes cross-site request forgery vulnerability in the OSIsoft Web API. The vulnerability is self-reported. OSIsoft has produced an upgraded version and provides additional mitigation measures.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to access the PI System with the privileges of a legitimate client user (write data).

PI Server Advisory

This advisory describes two improper authentication vulnerabilities in the OSIsoft PI Server. The vulnerability is self-reported. A new version (not currently available) has been developed that mitigates the vulnerability.

ICS-CERT reports that an (uncharacterized skill level) attacker could remotely exploit the vulnerability to spoof a PI Server or cause undefined behavior within the PI Network Manager.

Trihedral Advisory

This advisory describes three vulnerabilities in the Trihedral VTScada product. Karn Ganeshen reported the vulnerability. Trihedral has developed a patch to mitigate the vulnerability. ICS-CERT reports that Ganeshen has verified the efficacy of the fix.

The three reported vulnerabilities are:

• Uncontrolled resource consumption - CVE-2017-6043;
• Cross-site scripting - CVE-2017-6053; and
• Information exposure - CVE-2017-6045

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to result in uncontrolled resource consumption, arbitrary code execution, or information exposure.

NOTE: the VTScada upgrade notes report that “VTScada logo images are now protected by a checksum. VTScada will not start if these files have been removed or modified. If you wish to create a custom-branded application, contact Trihedral Engineering for licensing.” So it is possible that a facility is using a vulnerable system and not know it.

Missing Siemens Advisories and Updates

In addition to the five Siemens’ WannaCry updates I mentioned yesterday, there are six recently reported Siemens’ advisories and updates published that have not been reported by ICS-CERT. They are:

SSA-275839: Denial-of-Service Vulnerability in Industrial Products", June 7th;
SSA-946325: Vulnerabilities in SICAM PAS, June 9th;
SSA-732541: Denial-of-Service Vulnerability in SIPROTEC 4, June 12th;
SSA-293562: Vulnerabilities in Industrial Products, June 13th;
SSA-623229: DROWN Vulnerability in Industrial Products, June 13th; and
SSA-931064: Authentication Bypass in SIMATIC Logon, June 13th

To be fair it is probably too soon to be concerned about the last four, but the other 7 missing Siemens reportings are definite of concern.

As always thanks to the Siemens @ProductCERT for their tweets about security updates on their products.

No comments:

/* Use this with templates/template-twocol.html */