Yesterday the DHS ICS-CERT published three control system
security advisories for products from Gemalto, Smart Software Solutions (3S),
and Fuji Electric. They also updated a previously published control system
security advisory for products from NXP Semiconductor.
Gemalto Advisory
This advisory
describes multiple vulnerabilities in the Gemalto Sentinel License Manager. The
vulnerabilities were reported by Kaspersky Labs. The latest version of the
software mitigates the vulnerability. There is no indication that Kaspersky Labs
has been provided an opportunity to verify the efficacy of the fix.
The seven reported vulnerabilities are:
• Null pointer dereference - CVE-2017-11498;
• Stack-based buffer overflow (4) -
CVE-2017-11497, CVE-2017-11496, CVE-2017-12818 and CVE-2017-12821;
• Heap-based buffer overflow - CVE-2017-12820;
and
• Improper access control - CVE-2017-12822
NOTE: This is essentially the same vulnerability that I have
discussed previously (here
and here).
The Kaspersky
article on this problem actually list 14 vulnerabilities not the seven
being reported here. I mentioned earlier that there may be as many as 40,000
products (not all being ICS, obviously) being affected by this issue. If the
Gemalto dongle is clearly identified as being a ‘Sentinel License Manager’,
then this advisory is clearly a much more effective means of addressing the
issue rather than issuing advisories on each of the affected product lines. If
the using vendors, however, have relabeled their dongles, then this advisory
will not be effective in those cases. But that is not ICS-CERT’s fault.
ICS-CERT reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities and that could lead to remote code
execution or cause a denial-of-service condition, rendering the Sentinel LDK
License Manager service unavailable (and the supported product also being
unavailable).
3S Advisory
This advisory
describes a stack-based buffer overflow in the 3S CODESYS Web Server. The vulnerability
was reported by Zhu WenZhe of Istury IOT security lab. 3S has released a
security patch to mitigate this vulnerability. There is no indication that Zhu
was provided an opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively low-skilled attacker
could remotely exploit the vulnerability causing the device to crash, resulting
in a buffer overflow condition that may allow remote code execution.
Fuji Advisory
This advisory
describes a stack-based buffer overflow vulnerability in the Fuji V-Server VPR.
The vulnerability was reported by Ariele Caltabiano (kimiya) via the Zero Day
Intitiative. Fuji has produced a new firmware version that mitigates the
vulnerability. There is no indication that Caltabiano has been provided an
opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to view sensitive information and disrupt the
availability of the device.
NXP Update
This update
provides new information for an advisory that was originally
published on October 12th, 2017. The update provides links to
the new version of the single remaining product that was not previously fixed.
Posts
No comments:
Post a Comment