ICS-CERT Publishes 3 Advisories and One Siemens Update

Today the DHS ICS-CERT published three new control system security advisories for products from Eaton, Schneider Electric, and Hirschmann Automation. The also updated a previously issued advisory for products from Siemens.

Eaton Advisory

This advisory describes an improper input validation vulnerability in the Eaton ELCSoft programming software. The vulnerability was reported by Ariele Caltabiano (kimiya) and axt working with the Zero Day Initiative. Eaton has produced a new version of the software (ICS-CERT mistakenly refers to ‘firmware’) to mitigate this vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to execute arbitrary code. The Eaton Security Update Advisory [.PDF Download] notes that the vulnerability only affects the Windows® based PCs that run the software, not the programmable logic controllers being programed.

Schneider Advisory

This advisory describes an uncontrolled search path element vulnerability in the Schneider SoMove software and DTM software components. The vulnerability was reported by ADLab of Venustech (NOTE: The Schneider security notification credits Haojun Hou from Adon with reporting the vulnerability). Schneider has produced new software versions that mitigate the vulnerabilities. There is no indication that the researchers have been afforded an opportunity to verify the efficacy of the fix.

ICS-CERT reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to execute arbitrary code.

Hirschmann Advisory

This advisory describes multiple vulnerabilities in the Hirschmann Classic Platform Switches. These vulnerabilities were reported by Ilya Karpov, Evgeniy Druzhinin, Mikhail Tsvetkov, and Damir Zainullin of Positive Technologies. Hirschmann provides workarounds to mitigate the vulnerabilities; there is no indication that additional mitigation measures are forthcoming. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• Session fixition - CVE-2018-5465;

• Information exposure through query strings in get requests - CVE-2018-546;

• Cleartext transmission of sensitive information - CVE-2018-5471;

• Inadequate encryption strength - CVE-2018-5461; and

• Improper restriction of excessive authentication requests - CVE-2018-5469

ICS-CERT reports that a highly-skilled attacker could remotely exploit these vulnerabilities to hijack web sessions, impersonate a legitimate user, receive sensitive information, and gain access to the device.

Siemens Update

This update provides new information on an advisory that was was originally published on May 9^th, 2017 and updated on June 15, 2017,on July 25^th, 2017, on August 17^th, 2017, on October 10^th, on November 14^th,  November 28^th, 2017, and most recently January 18^th, 2018, January 25^th, 2018, and most recently on January 27^th, 2018. The new information is a link to mitigation measures for SCALANCE X-200IRT. ICS-CERT did not update the affected version information for this product to include the latest information in the Siemens security advisory; all versions before V5.4.0 are affected.