ICS-CERT Publishes 3 Advisories

Today the DHS ICS-CERT published two medical system advisories for products from Siemens and one control system advisory for products from Schneider Electric.

Molecular Imaging Advisory 1

This advisory describes two vulnerabilities in Siemens’ Molecular Imaging products running on Windows XP. These vulnerabilities are apparently self-reported. Siemens is working on updates for these vulnerabilities and recommend disconnecting the devices from networks pending receipt of those updates.

The two reported vulnerabilities:

• Improper control of generation of code - CVE-2008-4250; and

• Improper restriction of operations within the bounds of a memory buffer - CVE-2017-7269

ICS-CERT reports that an uncharacterized attacker could remotely exploit the vulnerabilities to remotely execute arbitrary code.

Note: Neither the ICS-CERT advisory nor the Siemens security advisory report that there are a number of publicly available exploits for the 2008 Windows XP RPC vulnerability.

Molecular Imaging Advisory 2

This advisory describes multiple vulnerabilities in Siemens’ Molecular Imaging products running on Windows 7. These vulnerabilities were apparently self-reported. Siemens is working on updates for these vulnerabilities and recommend disconnecting the devices from networks pending receipt of those updates.

The reported vulnerabilities are:

• Improper control of generation of code (2) - CVE-2015-1635 and CVE-2015-1497;

• Improper restriction of operations within the bounds of a memory buffer - CVE-2015-7860; and

• Permissions, privileges and access controls - CVE-2015-7861

ICS-CERT reports that an uncharacterized attacker could use publicly available exploits to remotely exploit the vulnerabilities to remotely execute arbitrary code.

NOTE: Both these advisories note that while disconnecting the devices from networks is a useful mitigation technique, they should be reconnected so that the updates can be remotely applied by Siemens. This is one important difference between medical devices and control system advisories; updates only affect the device being updated so remote updates are an effective option in most medical devices.

Schneider Advisory

This advisory describes an uncontrolled search path element vulnerability in the Schneider Pro-face GP-Pro EX. The vulnerability was reported by Karn Ganeshen. Schneider has developed an update that mitigates the vulnerability. There is no indication that Ganeshen was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that an uncharacterized attacker with uncharacterized access could use publicly available exploits to allow arbitrary code execution. The Schneider security bulletin that physical access to the computer is required.

Commentary

I continue to be concerned with some delays in ICS-CERT’s publication of advisories. The Siemens’ advisories were both published a while back (July 17^th and July 26^th). While these are both medical devices (and really outside of the ICS-CERT mandate) and Siemens does a good job publicly communicating their vulnerabilities, these vulnerabilities both had publicly available exploits. This makes prompt mitigation especially important, even when it is nothing more than disconnecting the device from networks pending updates.

I suppose that it really comes down to what the role of ICS-CERT is in communicating control system (and now medical device) vulnerabilities. If their role is simply reporting vulnerabilities reported to it by researchers and vendors, then delays such as these are vendor issues not ICS-CERT issues.

Of course, if ICS-CERT is intended to be more of a cybersecurity resource for system owner than an information sharing tool for vendors, then ICS-CERT is going to have to be more proactive in monitoring major vendor public communications and the cybersecurity press for researcher reports of ICS vulnerabilities and mitigations.

To be fair, that will probably require more resources than currently allocated for information sharing. And that resource allocation issue is not one should (or probably can) be resolved at their level, it is something that Congress is probably going to have to address. As control system security continues to become a more important societal issue, Congress is going to have to address the issue of the existence and role of ICS-CERT. In other words, ICS-CERT should specifically authorize ICS-CERT and establish its actual role in the industrial cybersecurity realm.