Today the DHS ICS-CERT published four new control system
security advisories for products from Schneider Electric (2), GE and Nortek.
Additionally, they provided an update for a previously published advisory for
products from ABB.
StructureOn Advisory
This advisory
describes an unrestricted upload of file with dangerous type vulnerability in
the Schneider StruxureOn Gateway software management program. The vulnerability
is being self-reported.
ICS-CERT reports that a relatively low-skilled attacker could
remotely exploit the vulnerability to upload a malicious file to any directory
on the device, which could lead to remote code execution. The Schneider security
advisory reports that the file must be a .zip file with specifically
modified metadata for this vulnerability to be exploited.
IGSS Mobile Advisory
This advisory
describes two vulnerabilities in the Schneider IGSS Mobile application (iOS and
Android). The vulnerabilities were reported by Alexander Bolshev (IOActive) and
Ivan Yushkevich (Embedi). Schneider has produced updates for both versions.
There is no indication that either researcher has been provided an opportunity
to verify the efficacy of the fix.
The two reported vulnerabilities are:
• Improper certificate validation -
CVE-2017-9968; and
• Plaintext storage of password - CVE-2017-9969
ICS-CERT reports that a relatively low-skilled attacker with
local access (okay they, actually said: “Locally exploitable”; that may not
mean ‘local access’) could exploit the vulnerability to execute a
man-in-the-middle attack. In addition, passwords can be accessed by
unauthorized users.
NOTE: Marc Ayala pointed out to me that anyone can download
these apps from the appropriate (iOs/Android) app store. This means that it
would be easy to exploit a compromised mobile password. All the attacker needs
to do is to get access to the IGSS configuration file on an oh so secure smart
phone to compromise the password.
GE Advisory
This advisory
describes two vulnerabilities in the GE D60 Line Distance Relay. The
vulnerabilities were reported by Kirill Nesterov of Kaspersky Labs. GE has
released new firmware that mitigates the vulnerability. There is no indication
that Nesterov was provided an opportunity to verify the efficacy of the fix.
The two reported vulnerabilities are:
• Stack-based buffer overflow - CVE-2018-5475;
and
• Improper restriction of
operations within bounds of memory buffer - CVE-2018-5473
ICS-CERT reports that relatively low-skilled attacker could
remotely exploit the vulnerability to execute arbitrary code on the device.
Nortek Advisory
This advisory
describes a command injection vulnerability in the Nortek Linear eMerge E3
Series access control interface. The vulnerability was reported by Evgeny
Ermakov and Sergey Gordeychik. Nortek recommends upgrading the system using
established procedures. There is no indication that either researcher was
provided an opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to execute malicious code on the system with
elevated privileges, allowing for full control of the server.
ABB Update
This update
provides additional information on an advisory that was originally
published on November 14th, 2017. The update reports that the
new update of Mesh OS mitigates the KRACK vulnerability in these devices.
NOTE: The updated ABB security
advisory that forms the basis for this ICS-CERT update was published on
January 11th, 2018.
Posts
No comments:
Post a Comment