ICS-CERT Publishes 5 Advisories and 5 Siemens Updates

Yesterday the DHS ICS-CERT published two medical device security advisories for products from Philips and Medtronic. They published three industrial control system security advisories for products from Emerson, Delta Electronics and Siemens. They also updated five previously published control system security advisories for a variety of products from Siemens.

NOTE: The Siemens advisory and five updates were briefly mentioned here last week. There was another advisory and another update (both 3^rd party vendor problems affecting Siemens products) that Siemens announced at the same time that ICS-CERT has apparently decided not to address.

ICS-CERT also recently announced a call for abstracts for the Spring 2018 meeting of the ICSJWG in Albuquerque, NM on April 10 - 12, 2018. Abstracts need to be submitted by March 13^th, 2018.

Philips Advisory

This advisory describes a relatively large number of vulnerabilities in the Philips Intellispace Portal ISP visualization and image analysis system. The vulnerabilities are apparently being self-reported. There is no report about these vulnerabilities on the FDA medical device safety page. Philips will be issuing an updated version in the coming months to mitigate the vulnerabilities.

NOTE: Apparently at least some of these vulnerabilities are 3^rd party vendor issues that have seen publicly available exploits in other products.

The 35 reported vulnerabilities include:

• Improper input validation (13) - CVE-2018-5474, CVE-2017-0143, CVE-2017-0144, CVE-2017-0145, CVE-2017-0146, CVE-2017-0148, CVE-2017-0272, CVE-2017-0277, CVE-2017-0278, CVE-2017-0279, CVE-2017-0269, CVE-2017-0273, and CVE-2017-0280;

• Information exposure (8) - CVE-2017-0147, CVE-2017-0267, CVE-2017-0268, CVE-2017-0270, CVE-2017-0271, CVE-2017-0274, CVE-2017-0275, and CVE-2017-0276;

• Permissions, privileges and access controls (4) - CVE-2018-5472, CVE-2018-5468, CVE-2017-0199, and CVE-2005-1794;

• Unquoted search path element - CVE-2018-5470;

• Left over debug code - CVE-2018-5454; and

• Cryptographic issues (8) - CVE-2018-5458, CVE-2018-5462, CVE-2018-5464, CVE-2018-5466, CVE-2011-3389, CVE-2004-2761, CVE-2014-3566, and CVE-2016-2183

ICS-CERT reports that an uncharacterized attacker could remotely exploit these vulnerabilities  to gain unauthorized access to sensitive information, perform man-in-the-middle attacks, create denial of service conditions, or execute arbitrary code.

Medtronic Advisory

This advisory describes two vulnerabilities in the Medtronic 2090 CareLink Programmers. The vulnerabilities were reported by Billy Rios and Jonathan Butts of Whitescope LLC. There is no report about these vulnerabilities on the FDA medical device safety page. Medtronics has identified compensating controls that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Strong password in a recoverable format - CVE-2018-5446; and

• Relative path traversal - CVE-2018-5448

ICS-CERT reports that an uncharacterized attacker with access to a CareLink Programmer could exploit the vulnerability to obtain per-product credentials to the software deployment network. These credentials grant access to the software deployment network, but access is limited to read-only versions of device software applications. No write capability exists with the credentials.

Emerson Advisory

This advisory describes a stack-based buffer overflow vulnerability in the Emerson ControlWave Micro Process Automation Controller. The vulnerability was reported by Younes Dragoni of Nozomi Networks. Emerson has a new firmware version that mitigates the vulnerability. There is no indication that Dragoni has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to execute a denial of service attact.

Delta Advisory

This advisory describes three vulnerabilities in the Delta WPLSoft PLC programming software. The vulnerability was reported by Axt via the Zero Day Intitiative. The newest version of the software mitigates the vulnerability. There is no indication that Axt has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2018-7494;

• Heap-based buffer overflow - CVE-2018-7507; and

• Out-of-bounds write - CVE-2018-7509

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow remote code execution or cause the software the attacker is accessing to crash.

Siemens Advisory

This advisory describes a cryptographic vulnerability in the Siemens SIMATIC Industrial PCs. This is a 3^rd party vulnerability in RSA key generation allowing for a potential ROCA attack. The vulnerability is being self-reported by Siemens. Siemens has produced firmware updates that mitigate the vulnerability.

ICS-CERT reports that an uncharacterized attacker [probably pretty skilled IMO] could remotely exploit the vulnerability to conduct cryptographic attacks against the key material.

NOTE: This is going to be a widespread vulnerability, potentially affecting any control system using Infineon’s Trusted Platform Module for the generation of RSA keys. It is also another vulnerability that it would have been helpful if ICS-CERT had published an alert on the topic last fall.

SIMATIC Update

This update provides additional information on an advisory that was was originally published on May 9^th, 2017 and updated on June 15, 2017,on July 25^th, 2017, on August 17^th, 2017, on October 10^th, on November 14^th, November 28^th, and most recently January 18, 2018. The update adds five new vulnerabilities to the advisory:

• Improper restrictions of operations within the bounds of a memory buffer (3) - CVE-2017-12818, CVE-2017-12820, and CVE-2017-12821;

• Security features - CVE-2017-12819; and

• Improper access control - CVE-2017-12822

Industrial Products Update

This update provides additional information on an advisory that was originally published on December 5th, 2017 and updated on December 19th, 2017 and again on January 23^rd, 2018. The new information includes new affected version data and mitigation links for:

• SIMATIC ET 200MP IM155-5 PN ST: All versions prior to V4.1;

• SIMOTION P V4.4 and V4.5: All versions prior to V4.5 HF5;

• DK Standard Ethernet Controller: All versions prior to V4.1.1 Patch 05; and

• EK-ERTEC 200 PN IO: All versions prior to V4.5

PROFINET 1 Update

This update provides additional information on an advisory that was originally published on May 9^th, 2017 and updated on June 15, 2017,on July 25^th, 2017, on August 17^th, 2017, on October 10^th, 2017, November 14^th, 2017, and most recently on January 23^rd, 2018. The update provides updated affected version information and mitigation links for:

• SIMATIC WinCC flexible 2008: All versions prior to flexible 2008 SP5

PROFINET 2 Update

This update provides additional information on an advisory that was originally published on May 9^th, 2017 and updated on June 15, 2017,on July 25^th, 2017, on August 17^th, 2017, on October 10^th, on November 14^th,  November 28^th, 2017, and most recently January 18^th, 2018, and most recently on January 25^th, 2018. The new information includes new affected version data and mitigation links for:

• SIMATIC ET 200MP-IMI55-5 PN ST: All versions prior to V4.1

Ruggedcom Update

This update provides additional information on an advisory that was was originally published on September 28^th, 2017, and updated on October 17^th, 2017. The new information adds corrected version information and mitigation links for:

• SCALANCE XR-500/XM-400: All versions between v6.1 and 6.1.1; and

• SCALANCE XB-200/XC-200/XP-200/XR300-WG: All versions between v3.0 and v3.0.2