ICS-CERT Publishes 3 Advisories

Today the DHS ICS-CERT published three control system security advisories for products from Siemens (2) and GE. They also published the latest version of the ICS-CERT Monitor and a new FY 2016 Assessment Report.

SIMATIC Advisory

This advisory describes two vulnerabilities in the Siemens SIMATIC Sm@rtClient Android App. The vulnerabilities were reported by Karsten Sohr and Timo Glander from the TZI at the University of Bremen. Siemens has released a new version to mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two vulnerabilities are:

• Channel accessible by non-endpoint - CVE-2017-6870; and

• Authentication bypass using alternative bypass or channel - CVE-2017-6871

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to read and modify data within a Transport Layer Security TLS session. The Siemens security bulletin reports that the second vulnerability requires “physical access to an unlocked mobile device”.

GE Advisory

This advisory describes a heap-based buffer overflow vulnerability in the GE Communicator application. The vulnerability was reported by Kimiya, working with iDefense Labs. GE recommends upgrading to the newst version that mitigates the vulnerability. There is no indication that Kimiya was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to execute arbitrary code or create a denial-of-service condition.

Comment: Once again a previously released version (revision date 02-18-17) fixes a security issue that was not identified in the Release notes. Remarkably lucky programmers that could fix an unidentified problem. Those release notes did identify another vulnerability in earlier versions that was corrected but has not apparently been reported to ICS-CERT; an unused software graphic library which was identified as a potential Microsoft® ActiveX security vulnerability.

SiPass Advisory

This advisory describes multiple vulnerabilities in the Siemens SiPass integrated access control system. Siemens is self-reporting the vulnerabilities. Siemens has produced a new version that mitigates the vulnerabilities.

The reported vulnerabilities are:

• Improper authentication - CVE-2017-9939;

• Improper privilege management - CVE-2017-9940;

• Channel accessible by non-endpoint - CVE-2017-9941; and

• Storing passwords in a recoverable format - CVE-2017-9942

ICS-CERT reports that a relatively low skilled attacker with unauthenticated network access could remotely exploit these vulnerabilities to perform administrative operations.

ICS-CERT Monitor

The ICS-CERT Monitor for May-June 2017 provides a little more useful information than we have been seeing in this publication of late. There are two brief but informative articles that should be read by all facility security managers:

• Data Classification for Recovery Planning (pg 2); and

• Cybersecurity Defense (pg 2)

The first outlines the risk assessment process used to determine backup rates for data. The second briefly discusses the importance of wet-ware (personnel) training to aid the security process. Both could have been fleshed out quite a bit, but given the glossy corporate report format that really is not practical. It would be helpful if ICS-CERT (or someone) did a fact sheet or white paper on both of these important topics. If someone knows of one, please point me at it.

FY 2016 Assessment Report

Well, the FY 2016 Assessment Report is not be published quite as late in the year as the 2015 report was, but you have to wonder why it took so long to publish such an uninformative 20 page report. If you read my review of the 2015 report, you already know most of the problems with this version.

One disheartening fact did jump off the page a scream at me, ‘Physical Access Control’ jumped back onto the ‘Top Six Weakness’ categories reported in the 130 assessments conducted last year. Again, you have to be careful of the numbers here because it is quite possible that some of the facilities had more than one assessment (three different assessment types) conducted.

Oh well, read it. Be careful of how much respect you give for the individual numbers (and those will be much hyped in the main stream and cybersecurity press), but look for the small pieces of valuable information (for example on page 11 “Keys allowing physical access may be out of the facilities’ control, possibly allowing unauthorized personnel to access critical or sensitive areas.”).