ICS-CERT Publishes 2 Advisories and 3 Updates

Yesterday the DHS ICS-CERT published two new control system advisories for products from Siemens and Geutebruck. It also updated three previously published control system advisories for products from Siemens (2) and AutomationDirect. ICS-CERT has missed some recent Siemens updates and an advisory.

Siemens Advisory

This advisory describes an improper input validation vulnerability in the Siemens SIMATIC, SINUMERIK, and PROFINET IO products. The vulnerability is being self-reported by Siemens. Siemens has provided updates that mitigate the vulnerability is some products and has provided generic workarounds for the remaining products while updates are developed for them.

ICS-CERT reports that an uncharacterized attacker on an adjacent network could exploit this vulnerability to execute a denial-of-service condition requiring a manual restart to recover the system. The Siemens security advisory notes that OSI Layer 2 access is required to exploit the vulnerability.

Geutebruck Advisory

This advisory describes six vulnerabilities in the Geutebruck IP cameras. The vulnerabilities were reported by Davy Douhine of RandoriSec and Nicolas Mattiocco of Greenlock. Geutebruck has a new firmware version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Improper authentication - CVE-2018-7532;

• SQL injection - CVE-2018-7528;

• Cross-site request forgery - CVE-2018-7524;

• Improper access control - CVE-2018-7520;

• Server-side request forgery - CVE-2018-7516; and

• Cross-site scripting - CVE-2018-7512

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to lead to proxy network scans, access to a database, adding an unauthorized user to the system, full configuration download including passwords, and remote code execution.

SIMATIC Update

This update provides additional information on an advisory that was originally published on February 27^th, 2018. It provides updated version information and mitigation measures for:

• SIMATIC IPC547G: Update BIOS to R1.21.0

SIPROTEC Update

This update provides additional information on an advisory that was originally published on July 6^th, 2017, and updated on July 18^th, on July 28^th, on October 10^th, on November 30^th, and then again on January 4^th, 2018. It provides updated version information and mitigation measures for:

• SIPROTEC 7SJ66: All versions prior to V4.30

AutomationDirect Update

This update provides additional information on an advisory that was originally published on November 9^th, 2017. It adds a new product (Do-more Designer) to the list of vulnerable products and provided mitigation links for that product.

Missing Siemens Updates

Siemens has published updates and advisories that have not been covered in this latest series of ICS-CERT publications. Normally, I would not mention the ones from yesterday (two updates here and here, and a new advisory here), but today’s new Siemens advisory was also released yesterday. There is also an update from last week (here) that was not mentioned.

Two of the updates (here and here) are for the Spectre and Meltdown vulnerabilities in the Siemens Industrial products. ICS-CERT is unlikely to update their alert to reflect these new mitigation measures since the existing link to the Siemens advisory will take someone to the new information. This is a potential problem for anyone that is relying on ICS-CERT for information, but because of the way that ICS-CERT does their updates (and does not provide detailed change information) this appears to be unavoidable.