Public ICS Disclosures – Week of 02-10-18

This week we have seen an apparently new zero-day reported in an Advantech product, an exploit for a previously released Siemens vulnerability, two new vendor reports from OSIsoft that have not been addressed by ICS-CERT and two vendor reports that were reported late this week that may show up in ICS-CERT advisories.

Advantech Zero-Day

Nassim Asrir reported a remote code execution vulnerability in the Advantech WebAccess product. The report on ExploitDB.com includes exploit code. Asrir reports that an attacker could remotely exploit the vulnerability to execute arbitrary OS commands via a single argument.

Siemens Exploit

M. Can Kurnaz published exploit code on ExploitDB.com this week for a previously published vulnerability in the Siemens SIPROTEC 4 and SIPROTEC Compact product families. ICS-CERT had previously reported that a relatively unskilled attacker could remotely exploit this vulnerability, but this just made it that much easier. A firmware patch was made available almost three years ago to mitigate this vulnerability, so hopefully this exploit will be of no practical use.

OSIsoft Advisories

This week OSIsoft released two new product updates that were specifically listed as ‘security updates’. The two products involved were PI Data Archive 2017 R2 and PI Vision 2017 R2.

There were five ‘issues’ reported in the PI Data Archive alert:

• Privilege escalation;

• Improper handling of serialization or comparison of a variable;

• Improper input validation;

• Authentication protocol flaws; and

• High Availability authentication protocol flaws

The PI Vison alert notes that changes were made in the default configuration of HTTP headers to prevent a cross-site scripting issue and two information disclosure issues.

Possibly Pending on ICS-CERT

We have two vendor reports that were issued on Thursday that may still make it to the ICS-CERT site next week so I will just mention them in passing.

ABB does not generally report their advisories to ICS-CERT, but they updated their Meltdown & Spectre advisory that has been mentioned in ICS-CERT alert on the same topic.

Schneider released a new security advisory listing new products that were affected by one of the previously reported vulnerabilities in their FlexNet Publisher Licensing Service.