ICS-CERT Publishes Three Advisories

Today the DHS ICS-CERT published two control system security advisories for products from Advantech and AzeoTech. They also published a medical device advisory for products from Abbott Laboratories.

Advantech Advisory

This advisory describes nine vulnerabilities in the Advantech WebAccess HMI platform. The vulnerabilities were reported by  Fritz Sands, independent researcher rgod, Tenable Network Security, and an anonymous researcher (all via Zero Day Initiative), and Haojun Hou and DongWang from ADLab of Venustech. Advantech has released a new version to mitigate the vulnerabilities. There is no indication that any of the researchers have been provided an opportunity to verify the efficacy of the fix.

The nine reported vulnerabilities are:

• Improper neutralization of special elements used in an SQL command - CVE-2017-12710;

• Improper restriction of operations within the bounds of a memory buffer - CVE-2017-12708;

• Stack-based buffer overflow -CVE-2017-12706;

• Heap-based buffer overflow - CVE-2017-12704;

• Use of externally-controlled format string - CVE-2017-12702;

• Improper authentication - CVE-2017-12698;

• Incorrect permission assignment for critical resource - CVE-2017-12713;

• Incorrect privilege assignment - CVE-2017-12711; and

• Uncontrolled search path element - CVE-2017-12711

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to allow remote code execution or unauthorized access and could cause the device that the attacker is accessing to crash.

NOTE: Earlier this month I mentioned that there were  a large number of ‘pending’ vulnerability reports on Advantech products currently listed on the ZDI web site. These are not those vulnerabilities; those are still apparently being resolved.

AzeoTech Advisory

This advisory describes two vulnerabilities in the AzeoTech DAQFactory HMI. The vulnerabilities were reported by Karn Ganeshen. AzeoTech has produced a new version that mitigates the vulnerabilities. There is no indication that Ganeshen was provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Incorrect default permissions - CVE-2017-12699; and

• Uncontrolled search path element - CVE-2017-5147

ICS-CERT reports that an authenticated user with local access could exploit the vulnerabilities to escalate their privileges and modify or replace application files.

Abbott Labs Advisory

This advisory describes three vulnerabilities in the Abbot Labs (formerly St. Jude Medical) pacemakers. The vulnerabilities were reported by MedSec. Abbott has produced a firmware update that mitigates the vulnerability. ICS-CERT reports that an unidentified third-party has verified the efficacy of the fix. The FDA Safety Communication notes that the firmware update must be applied during “an in-person patient visit with a health care provider”.

The three reported vulnerabilities are:

• Improper authentication - CVE-2017-12712;

• Improper restriction of power consumption - CVE-2017-12714; and

• Missing encryption of sensitive data - CVE-2017-12716

ICS-CERT reports that an uncharacterized attacker near the patient could exploit the vulnerabilities to gain unauthorized access to a pacemaker and issue commands, change settings, or otherwise interfere with the intended function of the pacemaker.