Yesterday the DHS ICS-CERT published two medical device
security advisories for products from Philips and Medtronic. They published
three industrial control system security advisories for products from Emerson,
Delta Electronics and Siemens. They also updated five previously published control
system security advisories for a variety of products from Siemens.
NOTE: The Siemens advisory and five updates were
briefly
mentioned here last week. There was
another
advisory and
another
update (both 3
rd party vendor problems affecting Siemens
products) that Siemens announced at the same time that ICS-CERT has apparently
decided not to address.
ICS-CERT also recently
announced a call for abstracts for the Spring 2018 meeting of the ICSJWG in
Albuquerque, NM on April 10 - 12, 2018. Abstracts need to be submitted by March
13
th, 2018.
Philips Advisory
This
advisory
describes a relatively large number of vulnerabilities in the Philips Intellispace
Portal ISP visualization and image analysis system. The vulnerabilities are
apparently being self-reported. There is no report about these vulnerabilities
on the
FDA
medical device safety page. Philips will be issuing an updated version in
the coming months to mitigate the vulnerabilities.
NOTE: Apparently at least some of these vulnerabilities are
3rd party vendor issues that have seen publicly available exploits
in other products.
The 35 reported vulnerabilities include:
• Improper input validation (13) - CVE-2018-5474,
CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0148,
CVE-2017-0272, CVE-2017-0277, CVE-2017-0278, CVE-2017-0279, CVE-2017-0269,
CVE-2017-0273, and CVE-2017-0280;
• Information exposure (8) - CVE-2017-0147,
CVE-2017-0267, CVE-2017-0268, CVE-2017-0270, CVE-2017-0271, CVE-2017-0274,
CVE-2017-0275, and CVE-2017-0276;
• Permissions, privileges and
access controls (4) - CVE-2018-5472, CVE-2018-5468, CVE-2017-0199, and
CVE-2005-1794;
• Unquoted search path element - CVE-2018-5470;
• Left over debug code - CVE-2018-5454;
and
• Cryptographic issues (8) - CVE-2018-5458,
CVE-2018-5462, CVE-2018-5464, CVE-2018-5466, CVE-2011-3389, CVE-2004-2761,
CVE-2014-3566, and CVE-2016-2183
ICS-CERT reports that an uncharacterized attacker could
remotely exploit these vulnerabilities to gain unauthorized access to sensitive
information, perform man-in-the-middle attacks, create denial of service
conditions, or execute arbitrary code.
Medtronic Advisory
This
advisory
describes two vulnerabilities in the Medtronic 2090 CareLink Programmers. The
vulnerabilities were reported by Billy Rios and Jonathan Butts of Whitescope
LLC. There is no report about these vulnerabilities on the
FDA
medical device safety page. Medtronics has identified compensating controls
that mitigate the vulnerability. There is no indication that the researchers
have been provided an opportunity to verify the efficacy of the fix.
The two reported vulnerabilities are:
• Strong password in a recoverable
format - CVE-2018-5446; and
• Relative path traversal - CVE-2018-5448
ICS-CERT reports that an uncharacterized attacker with
access to a CareLink Programmer could exploit the vulnerability to obtain
per-product credentials to the software deployment network. These credentials
grant access to the software deployment network, but access is limited to
read-only versions of device software applications. No write capability exists
with the credentials.
Emerson Advisory
This
advisory
describes a stack-based buffer overflow vulnerability in the Emerson ControlWave
Micro Process Automation Controller. The vulnerability was reported by Younes
Dragoni of Nozomi Networks. Emerson has a new firmware version that mitigates
the vulnerability. There is no indication that Dragoni has been provided an
opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to execute a denial of service attact.
Delta Advisory
This
advisory
describes three vulnerabilities in the Delta WPLSoft PLC programming software.
The vulnerability was reported by Axt via the Zero Day Intitiative. The newest
version of the software mitigates the vulnerability. There is no indication
that Axt has been provided an opportunity to verify the efficacy of the fix.
The three reported vulnerabilities are:
• Stack-based buffer overflow - CVE-2018-7494;
• Heap-based buffer overflow - CVE-2018-7507;
and
• Out-of-bounds write - CVE-2018-7509
ICS-CERT reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to allow remote code execution or
cause the software the attacker is accessing to crash.
Siemens Advisory
This
advisory
describes a cryptographic vulnerability in the Siemens SIMATIC Industrial PCs.
This is a 3
rd party vulnerability in RSA key generation allowing for
a potential
ROCA
attack. The vulnerability is being self-reported by Siemens. Siemens has
produced firmware updates that mitigate the vulnerability.
ICS-CERT reports that an uncharacterized attacker [probably
pretty skilled IMO] could remotely exploit the vulnerability to conduct
cryptographic attacks against the key material.
NOTE: This is going to be a widespread vulnerability,
potentially affecting any control system using Infineon’s Trusted Platform
Module for the generation of RSA keys. It is also another vulnerability that it
would have been helpful if ICS-CERT had published an alert on the topic last
fall.
SIMATIC Update
This
update
provides additional information on an advisory that was was
originally
published on May 9
th, 2017 and
updated on
June 15, 2017,on
July
25th, 2017, on
August
17th, 2017, on
October
10th, on
November
14th,
November
28th, and most recently
January
18, 2018. The update adds five new vulnerabilities to the advisory:
• Improper restrictions of
operations within the bounds of a memory buffer (3) - CVE-2017-12818, CVE-2017-12820,
and CVE-2017-12821;
• Security features - CVE-2017-12819;
and
• Improper access control - CVE-2017-12822
Industrial Products Update
• SIMATIC ET 200MP IM155-5 PN ST:
All versions prior to V4.1;
• SIMOTION P V4.4 and V4.5: All
versions prior to V4.5 HF5;
• DK Standard Ethernet Controller:
All versions prior to V4.1.1 Patch 05; and
• EK-ERTEC 200 PN IO: All versions
prior to V4.5
PROFINET 1 Update
This
update
provides additional information on an advisory that was
originally
published on May 9
th, 2017 and
updated
on June 15, 2017,on
July
25th, 2017, on
August
17th, 2017, on
October
10th, 2017,
November
14th, 2017, and most recently on
January
23rd, 2018. The update provides updated affected version
information and mitigation links for:
• SIMATIC WinCC flexible 2008: All
versions prior to flexible 2008 SP5
PROFINET 2 Update
This
update
provides additional information on an advisory that was
originally
published on May 9
th, 2017 and
updated on
June 15, 2017,on
July
25th, 2017, on
August
17th, 2017, on
October
10th, on
November
14th,
November
28th, 2017, and most recently
January
18th, 2018, and most recently on
January
25th, 2018. The new information includes new affected version
data and mitigation links for:
• SIMATIC ET 200MP-IMI55-5 PN ST:
All versions prior to V4.1
Ruggedcom Update
This
update
provides additional information on an advisory that was was
originally
published on
September
28th, 2017, and updated on October 17
th, 2017. The
new information adds corrected version information and mitigation links for:
• SCALANCE XR-500/XM-400: All
versions between v6.1 and 6.1.1; and
• SCALANCE
XB-200/XC-200/XP-200/XR300-WG: All versions between v3.0 and v3.0.2