ICS-CERT Publishes New Advisory and Updates 2 Siemens Advisories

Yesterday the DHS ICS-CERT published a new control system security advisory for a product from Ecava. They also update two previously published advisories for products from Siemens.

Ecava Advisory

This advisory describes an SQL injection vulnerability in the Ecava IntegraXor. The vulnerability was reported by Tenable Security. Ecava has produced a new version that mitigates the vulnerability. ICS-CERT reports that Tenable has verified the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to effect unauthenticated remote code execution.

PROFINET Update

This update provides additional information on an advisory originally published on May 9^th, 2017 and updated on June 15^th, 2017. This update provides new affected version data and links to updates for Primary Setup Tool (PST): All versions prior to  V4.2 HF1.

Interestingly, this information on the PST was made available in the same updated version of the Siemens Advisory published on June 13^th that was used for the previous ICS-CERT update. A close comparison of the original Siemens Advisory and the June 13^th versions shows that there was an additional product that was updated, but also not mentioned in the earlier ICS-CERT update or in this update; the Security Configuration Tool (SCT): All versions < V5.0.

Industrial Products Update

This update provides additional information on an advisory originally issued on November 8, 2016 and then updated November 22^nd, 2016; December 23^rd, 2016; February 14^th, 2017; March 2^nd, 2017 and May 9^th, 2017. This update provides the same new information as the ICS-CERT updated described above. Interestingly (and kudos to ICS-CERT for really prompt reporting), Siemens published their updated Security Advisory just yesterday morning (ICS-CERT time).

NOTE: Siemens also announced (via TWITTER®; @ProductCERT ) yesterday that they had published a new security advisory (SSA-126840) and updated another advisory (SSA-275839)with the same SCT information noted above. I expect that we will see those reflected on the ICS-CERT site today or tomorrow.