Yesterday the DHS ICS-CERT published five control system security
advisories for products from Schneider, Ctek, Digium, iniNet Solutions, and
Saia Burgess Controls. The advisory for the products from Saia Burgess Controls
was originally posted to the NCCIC Portal on August 22, 2017.
Saia Burgess Controls Advisory
This advisory
describes an information exposure vulnerability in the Saia Burgess Controls PCD
Controllers. The vulnerability was reported by Davide Fauri of Eindhoven
University of Technology. The latest version of the firmware mitigates the
vulnerability. There is no indication that Fauri has been provided an
opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit the vulnerability to to obtain information in memory.
The SBC upgrade
notes also report that the current version makes the following security
changes:
• Protective functions are
activated by default;
• Improved password protection
associated with the role-based user management;
• Access filter using
"white" and "black" lists;
• Removed hardcoded password [NOT mentioned in
ICS-CERT advisory].
Similar changes were also apparently made to the SBC PG5
Controls Suite.
iniNet Solutions Advisory
This advisory
describes an improper authentication vulnerability in the iniNet Solutions
SCADA Webserver. The vulnerability was reported by Matthias Niedermaier and
Florian Fischer, both of Augsburg University of Applied Sciences. iniNet has
released a new version that allows users to implement basic authentication.
There is no indication that the researchers were afforded an opportunity to
verify the efficacy of the fix.
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit the vulnerability to access human-machine interface (HMI) pages
or to modify programmable logic controller (PLC) variables without
authentication.
Digium Advisory
This advisory
describes an OS command injection vulnerability in the Digium Asterisk GUI. The
vulnerability was reported by Davy Douhine of RandoriSec. Asterisk GUI is no
longer maintained and should not be used. Digium recommends affected users to
migrate to Digium’s SwitchVox product.
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit the vulnerability to execute arbitrary code on the device.
Interesting Questions: Would owners of a control system that
uses an HMI configured with Digium’s Asterix GUI even know that it had been
used, particularly if the system had been designed by a contractor or vendor?
Would it take a complete system redesign to change out the GUI for an HMI?
Ctek Advisory
This advisory
describes an improper authentication vulnerability in the Ctek SkyRouter. The
vulnerability was reported by Maxim Rupp. The latest firmware version mitigates
this and “additional security requirements”. NOTE: “Ctek, Inc., reports that
due to industry demand, wireless carriers are rapidly eliminating 2G and 3G
CDMA service and they will not be creating any additional update releases for
those products.” There is no indication that Rupp was provided an opportunity
to verify the efficacy of the fix.
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit the vulnerability to view and edit settings without
authenticating.
Schneider Advisory
This advisory
describes a missing authentication for critical function vulnerability in the
Schneider InduSoft Web Studio products. The vulnerability was reported by Aaron
Portnoy, formerly of Exodus Intelligence. Schneider has created a patch to
mitigate the vulnerability. There is no indication that Portnoy was provided an
opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit the vulnerability to remotely execute arbitrary commands with
high privileges.
NOTE: The Schneider security
bulletin was published last Friday. Maybe Dale Peterson was right,
it looks like ICS-CERT is doing ‘ICS-vuln Thursday’.
Posts
No comments:
Post a Comment