Yesterday the DHS ICS-CERT published two control system
security advisories for products from Beckhoff and Siemens. They also updated a
previously published advisory for products from Siemens. The two Siemens
products were mentioned in a previous blog
post.
Beckhoff Advisory
This advisory
describes an untrusted pointer dereference vulnerability in the Beckhoff TwinCAT
PLC products. The vulnerability was reported by Steven Seeley of Source Incite.
According to the Beckhoff security
advisory, the company has updates available that mitigate the
vulnerability. There is no indication that Seeley has been provided an opportunity
to verify the efficacy of the fix.
ICS-CERT reports that a relatively low-skilled attacker with
uncharacterized access could exploit the vulnerability to escalate privileges.
ICS-CERT reports that Matlab modules need to be recompiled after updating.
Siemens Advisory
This advisory
describes an improper access control vulnerability in the Siemens SIMATIC WinCC
OA UI mobile app. The vulnerability was reported by Alexander Bolshev from
IOActive, and Ivan Yushkevich from Embedi. Siemens has updates available that
mitigate the vulnerability. There is no indication that the researchers have
verified the efficacy of the fix.
ICS-CERT reports that an uncharacterized attacker on an
adjacent network could exploit the vulnerability to read and write data from
and to the app’s project cache folder. The Siemens security
advisory notes that a social engineering attack is required to convince the
App user to connect to an attacker-controlled WinCC OA server
Siemens Update
This update
provides new information on an advisory that was originally
published on January 25th, 2018 and updated on February
6th. The update removes a product from the affected product
list.
Posts
No comments:
Post a Comment