Today the DHS ICS-CERT published six control system security
advisories for products from Automated Logic Corporation, Moxa, OPW Fuel
Management Systems, and Siemens (3). The ALC advisory was originally published
on the NCCIC Portal on May 30, 2017.
ALC Advisory
This advisory
describes an improper restriction of XML external entity reference
vulnerability in the ALC ALC WebCTRL, Liebert SiteScan, and Carrier i-VU
building automation applications. The vulnerability was reported by Evgeny
Ermakov from Kaspersky Lab. ICS-CERT reports that ALC has developed patches for
the WebCTRL and Carrier i-VU applications that mitigate the vulnerability.
There is no mention of mitigation measures for the Liebert SiteScan. There is
no indication that Ermakov has been provided an opportunity to verify the
efficacy of the fix.
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit the vulnerability to the disclosure of confidential
data, denial of service (DoS), spoofing of a request from an upstream device,
port scanning from the perspective of the machine where the parser is located,
and other system impacts.
Moxa Advisory
This advisory
describes an improper neutralization of special elements used in an SQL command
in the Moxa SoftCMS Live Viewer, a video surveillance software designed for
industrial automation systems. The vulnerability was reported by Ziqiang Gu
from Huawei WeiRan Labs. Moxa has provided a software update to mitigate the
vulnerability. There is no indication that Gu has been provided an opportunity
to verify the efficacy of the fix.
ICS-CERT reports that an uncharacterized attacker with
uncharacterized access could exploit the vulnerability to access SoftCMS Live
Viewer without knowing the user’s password.
OPW Advisory
This advisory
describes two vulnerabilities in the OPW Fuel Management Systems SiteSentinel
Integra and SiteSentinel iSite consoles. The vulnerabilities were reported by Semen
Rozhkov of Kaspersky Lab. OPW has produced a new version to mitigate the
vulnerability and recommends that it be applied even if the systems are
protected from exploitation by running off-line or located on a protected
network. There is no indication that Rozhkov has been provided an opportunity
to verify the efficacy of the fix.
The two reported vulnerabilities are:
• Missing authentication for a
critical function - CVE-2017-12733; and
• Improper neutralization of special elements used in
an SQL command - CVE-2017-12731
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit these vulnerabilities to create an account on the device
or access the device’s database.
NOTE: I have never had to update software on an ICS device
before, but it seems to me that if it is normally as complicated as the
procedures provided for these devices then it would be a wonder if anyone
ever upgraded device software.
7KM PAC Advisory
This advisory
describes an uncontrolled resource consumption vulnerability in the Siemens 7KM
PAC Switched Ethernet PROFINET expansion module. Siemens is self-reporting this
vulnerability. They have produced a firmware update to mitigate the
vulnerability.
ICS-CERT reports that a relatively low skilled attacker with
uncharacterized access could exploit the vulnerability to cause a denial-of-service
condition in the affected component that may require a manual restart of the
main device to recover. The Siemens security
advisory notes that the attacker must have network access to the local
Ethernet segment (Layer 2) to exploit the vulnerability.
LOGO Advisory
This advisory
describes two vulnerabilities in the Siemens LOGO!8 BM devices. The first
vulnerability listed below was reported by Maxim Rupp; the second was
self-reported by Siemens. Siemens has developed a new firmware version that
mitigates the vulnerabilities. There is no indication that Rupp was provided an
opportunity to verify the efficacy of the fix.
The two reported vulnerabilities are:
• Insufficiently protected
credentials - CVE-2017-12734; and
• Channel accessible by
non-endpoint - CVE-2017-12735
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit these vulnerabilities to hijack existing web sessions.
The Siemens security
advisory notes that the first vulnerability requires network access to the
integrated web server on port 80/tcp to exploit.
Industrial Products Advisory
This advisory
describes an improper restriction of XML external entity reference
vulnerability in the Siemens Industrial products using the Discovery Service of
the OPC UA protocol stack by the OPC foundation. The vulnerability was reported
by Sergey Temnikov of Kaspersky Lab. Siemens has produced new software versions
for some of the listed products; other updates are still pending. There is no
indication that Temnikov has been provided an opportunity to verify the
efficacy of the fix.
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit the vulnerability to access various resources. The
Siemens security
advisory reports that an attacker must have network access to the affected
devices to exploit the vulnerability.