Today the DHS ICS-CERT published three new control system security
advisories for products from Delta Industrial Automation, Moxa and Siemens.
They also updated the previously published alert for the Meltdown and Spectre
chip vulnerabilities.
Delta Advisory
This advisory
describes a stack-based buffer overflow vulnerability in the Delta DOPSoft
human machine interface. The vulnerability was reported by Ghirmay Desta via
the Zero Day Initiative. Delta has a new version that mitigates the
vulnerability. There is no indication that Desta has been provided an
opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to cause the device the attacker is
accessing to crash; a buffer overflow condition may allow remote code
execution.
Moxa Advisory
This advisory
describes three vulnerabilities in the Moxa OnCell high-speed industrial-grade
IP gateway. The vulnerabilities were reported by Kirill Nesterov, Eugenie
Potseluevskaya, and Radu Motspan of Kaspersky Labs. Moxa has released a new
firmware version that mitigates the vulnerability. There is no indication that
the researchers have been provided an opportunity to verify the efficacy of the
fix.
The three reported vulnerabilities are:
• Reliance on cookies without
validation and integrity checking - CVE-2018-5455;
• Improper handling of length
parameter inconsistency - CVE-2018-5453; and
• Null pointer dereference - CVE-2018-5449
ICS-CERT reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to remotely execute code on the device.
Siemens Advisory
This advisory
describes multiple vulnerabilities in the Siemens SIMATIC, SIMOTION, and
SINUMERIK industrial computers. These vulnerabilities were self-reported by
Siemens. The Siemens security
advisory reports that these are 3rd party vulnerabilities in the
Intel Management Engine (ME), Intel Server Platform Services (SPS), and Intel
Trusted Execution Engine (TXE)
The eight reported vulnerabilities are:
• Stack-based buffer overflow (5) -
CVE-2017-5705, CVE-2017-5706, CVE-2017-5707, CVE-2017-5712, and CVE-2017-5711;
and
• Permissions, privileges, and
access controls (3) - CVE-2017-5708, CVE-2017-5709, and CVE-2017-5710
ICS-CERT reports that a relatively low-skilled attacker could
remotely (some of the vulnerabilities require local access) to execute
arbitrary code or gain unauthenticated access to sensitive data.
NOTE: Again, with 3rd party vulnerabilities one
has to wonder what other systems will be affected. But, since Intel is such a
small company (right) it is unlikely that any other vendors will use this
vulnerable code (pardon the sarcasm).
Meltdown Update
This update
provides additional information on an alert that was originally
published on January 11th, 2018 and updated on January
16th, 2018, January
17th, 2018, January
30th, 2018, February
20th, 2018, and again on February
22nd, 2018.
The advisory provides links to new vendor reports on the
vulnerabilities:
• Dräger;
• Pepperl+Fuchs;
and
Posts
No comments:
Post a Comment