This week we have one vendor notification from Siemens and
two exploits for previously disclosed vulnerabilities in products from Hikvision
and Advantech.
Siemens Advisory
This advisory
describes 8 vulnerabilities in Siemens Building Technologies Products. The
vulnerabilities were reported by Sergey Temnikov and Vladimir Dashchenko from
Kaspersky Lab. The newest version of the license management systems for the
affected products mitigate the vulnerability. There is no indication that the
researchers have been provided an opportunity to verify the efficacy of the
fix.
These reported vulnerabilities are the Gemalto Sentinel LDK
RTE vulnerabilities
that have been previously
reported by Siemens in other products.
Hikvision Exploit
This exploit
provides proof-of-concept code for an attack on IP cameras from Hikvision. The backdoor
vulnerability was previously
disclosed on May 4th, 2017. The exploit was published by Matamorphosis
on Exploit-DB.com.
Advantech Exploit
This exploit provides proof-of-concept code for an attack on
the WebAccess products from Advantech. The stack-based buffer overflow
vulnerability was previously
disclosed on January 14th, 2016. The exploit was published by Chris
Lyne on Expoit-DB.com.
Commentary
I noted in an earlier
post that this set of Gemalto vulnerabilities probably effects a wide range
of ICS products (including products from at least three other major ICS vendors)
and suggested that ICS-CERT should have done an alert on these vulnerabilities.
It is not too late to do so.
While both of the exploited vulnerabilities describe above
were previously reported by ICS-CERT as not having publicly available exploits,
ICS-CERT does not make a practice of removing that language from their
advisories when exploits do become publicly available. It would probably be
valuable to the ICS security community if that practice were changed.