ICS-CERT Publishes 6 Advisories and 2 Updates

Today the DHS ICS-CERT published six control system advisories for products from Schweitzer Engineering Laboratories, OSIsoft (2), ABB, Fuji Electric, and Siemens. They also published updates for two other control system advisories for products from OSIsoft and Siemens.

SEL Advisory

This advisory describes an improper access control vulnerability in the SEL SEL-3620 and SEL-3622 Ethernet Security Gateways. The vulnerability was reported by Jason Holcomb with Revolutionary Security. SEL has developed a firmware update. ICS-CERT reports that Holcomb has verified the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to effect unauthorized communications through the SEL-3620 and SEL-3622 to configured NAT port forwarding destinations.

PI ProcessBook Advisory

This advisory describes (unspecified) third party software {Microsoft Visual Basic for Applications (VBA) v6.5} vulnerabilities in ealier versions of OSIsoft PI ProcessBook and PI ActiveView. There is no specific listing of the individual vulnerabilities involved. These vulnerabilities were self-reported by OSIsoft. Newer versions of the OSIsoft products contain newer versions of the VBA, but do not remove the dll files in which the vulnerabilities reside when upgraded, these must be removed manually.

OSIsoft reports that the affected VBA version would still be required if the workstation was also running MS Office 2003 or MS Office 2007.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerabilities to access arbitrary code.

PI Coresight Advisory

This advisory describes a cross-site request forgery vulnerability in the OSIsoft PI Coresight product. The vulnerability is self-reported. OSIsoft has produced a new version that mitigates the vulnerability.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to access the PI System resulting in unauthorized viewing or alteration of PI System data.

ABB Advisory

This advisory describes two vulnerabilities in the ABB VSN300 WiFi Logger Card. The vulnerability was reported by Maxim Rupp. Newer versions are not affected by the vulnerabilities. There is no indication that Rupp was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to allow attackers to gain unauthorized access to privileged information.

Fuji Electric Advisory

This advisory describes an improper restrictions of operations within the bounds of a memory buffer vulnerability in the Fuji V-Server. The vulnerability was reported by Ariele Caltabiano via the Zero Day Initiative. Fuji has produced a patch to mitigate the vulnerability. There is no indication that Caltabiano has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that an uncharacterized attacker could remotely exploit the vulnerability  to remotely execute arbitrary code.

Siemens Advisory

This advisory describes an out-of-bounds write vulnerability in the Siemens SIMATIC Logon Remote Access product. The vulnerability was reported by Tenable Security. Siemens has produced a new version to mitigate the vulnerability. There is no indication that Tenable has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to cause a denial of service of the SIMATIC Logon Remote Access service under certain conditions.

OSIsoft Update

This update provides new information on the advisory that was originally published on January 10^th, 2017. It reports that the new version of PI ProcessBook described above also mitigates this vulnerability. There is no indication that the researcher (Vint Maggs) has been provided an opportunity to verify the efficacy of the fix.

Siemens Update

This update provides new information on the advisory that was originally published on June 29^th, 2017. Firmware updates are now available for all affected products. The updated Siemens security advisory reports that SINUMERIK products have been removed from the affected products list available on the Siemens website.