Tuesday, March 6, 2018

ICS-CERT Publishes 3 Advisories and One Siemens Update


Today the DHS ICS-CERT published three new control system security advisories for products from Eaton, Schneider Electric, and Hirschmann Automation. The also updated a previously issued advisory for products from Siemens.

Eaton Advisory


This advisory describes an improper input validation vulnerability in the Eaton ELCSoft programming software. The vulnerability was reported by Ariele Caltabiano (kimiya) and axt working with the Zero Day Initiative. Eaton has produced a new version of the software (ICS-CERT mistakenly refers to ‘firmware’) to mitigate this vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to execute arbitrary code. The Eaton Security Update Advisory [.PDF Download] notes that the vulnerability only affects the Windows® based PCs that run the software, not the programmable logic controllers being programed.

Schneider Advisory


This advisory describes an uncontrolled search path element vulnerability in the Schneider SoMove software and DTM software components. The vulnerability was reported by ADLab of Venustech (NOTE: The Schneider security notification credits Haojun Hou from Adon with reporting the vulnerability). Schneider has produced new software versions that mitigate the vulnerabilities. There is no indication that the researchers have been afforded an opportunity to verify the efficacy of the fix.

ICS-CERT reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to execute arbitrary code.

Hirschmann Advisory


This advisory describes multiple vulnerabilities in the Hirschmann Classic Platform Switches. These vulnerabilities were reported by Ilya Karpov, Evgeniy Druzhinin, Mikhail Tsvetkov, and Damir Zainullin of Positive Technologies. Hirschmann provides workarounds to mitigate the vulnerabilities; there is no indication that additional mitigation measures are forthcoming. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• Session fixition - CVE-2018-5465;
• Information exposure through query strings in get requests - CVE-2018-546;
• Cleartext transmission of sensitive information - CVE-2018-5471;
• Inadequate encryption strength - CVE-2018-5461; and
Improper restriction of excessive authentication requests - CVE-2018-5469

ICS-CERT reports that a highly-skilled attacker could remotely exploit these vulnerabilities to hijack web sessions, impersonate a legitimate user, receive sensitive information, and gain access to the device.

Siemens Update


This update provides new information on an advisory that was was originally published on May 9th, 2017 and updated on June 15, 2017,on July 25th, 2017, on August 17th, 2017, on October 10th, on November 14th,  November 28th, 2017, and most recently January 18th, 2018, January 25th, 2018, and most recently on January 27th, 2018. The new information is a link to mitigation measures for SCALANCE X-200IRT. ICS-CERT did not update the affected version information for this product to include the latest information in the Siemens security advisory; all versions before V5.4.0 are affected.

No comments:

 
/* Use this with templates/template-twocol.html */