ICS-CERT Publishes Six Advisories

Today the DHS ICS-CERT published six control system security advisories for products from Automated Logic Corporation, Moxa, OPW Fuel Management Systems, and Siemens (3). The ALC advisory was originally published on the NCCIC Portal on May 30, 2017.

ALC Advisory

This advisory describes an improper restriction of XML external entity reference vulnerability in the ALC ALC WebCTRL, Liebert SiteScan, and Carrier i-VU building automation applications. The vulnerability was reported by Evgeny Ermakov from Kaspersky Lab. ICS-CERT reports that ALC has developed patches for the WebCTRL and Carrier i-VU applications that mitigate the vulnerability. There is no mention of mitigation measures for the Liebert SiteScan. There is no indication that Ermakov has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to the disclosure of confidential data, denial of service (DoS), spoofing of a request from an upstream device, port scanning from the perspective of the machine where the parser is located, and other system impacts.

Moxa Advisory

This advisory describes an improper neutralization of special elements used in an SQL command in the Moxa SoftCMS Live Viewer, a video surveillance software designed for industrial automation systems. The vulnerability was reported by Ziqiang Gu from Huawei WeiRan Labs. Moxa has provided a software update to mitigate the vulnerability. There is no indication that Gu has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to access SoftCMS Live Viewer without knowing the user’s password.

OPW Advisory

This advisory describes two vulnerabilities in the OPW Fuel Management Systems SiteSentinel Integra and SiteSentinel iSite consoles. The vulnerabilities were reported by Semen Rozhkov of Kaspersky Lab. OPW has produced a new version to mitigate the vulnerability and recommends that it be applied even if the systems are protected from exploitation by running off-line or located on a protected network. There is no indication that Rozhkov has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Missing authentication for a critical function - CVE-2017-12733; and

• Improper neutralization of special elements used in an SQL command - CVE-2017-12731

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to create an account on the device or access the device’s database.

NOTE: I have never had to update software on an ICS device before, but it seems to me that if it is normally as complicated as the procedures provided for these devices then it would be a wonder if anyone ever upgraded device software.

7KM PAC Advisory

This advisory describes an uncontrolled resource consumption vulnerability in the Siemens 7KM PAC Switched Ethernet PROFINET expansion module. Siemens is self-reporting this vulnerability. They have produced a firmware update to mitigate the vulnerability.

ICS-CERT reports that a relatively low skilled attacker with uncharacterized access could exploit the vulnerability to cause a denial-of-service condition in the affected component that may require a manual restart of the main device to recover. The Siemens security advisory notes that the attacker must have network access to the local Ethernet segment (Layer 2) to exploit the vulnerability.

LOGO Advisory

This advisory describes two vulnerabilities in the Siemens LOGO!8 BM devices. The first vulnerability listed below was reported by Maxim Rupp; the second was self-reported by Siemens. Siemens has developed a new firmware version that mitigates the vulnerabilities. There is no indication that Rupp was provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Insufficiently protected credentials - CVE-2017-12734; and

• Channel accessible by non-endpoint - CVE-2017-12735

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to hijack existing web sessions. The Siemens security advisory notes that the first vulnerability requires network access to the integrated web server on port 80/tcp to exploit.

Industrial Products Advisory

This advisory describes an improper restriction of XML external entity reference vulnerability in the Siemens Industrial products using the Discovery Service of the OPC UA protocol stack by the OPC foundation. The vulnerability was reported by Sergey Temnikov of Kaspersky Lab. Siemens has produced new software versions for some of the listed products; other updates are still pending. There is no indication that Temnikov has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to access various resources. The Siemens security advisory reports that an attacker must have network access to the affected devices to exploit the vulnerability.