ICS-CERT Publishes 5 Advisories

Yesterday the DHS ICS-CERT published a medical device security advisory for products from GE. They also published four control system security advisories for products from OSIsoft (3) and Omron. The GE advisory was originally published on the secure HSIN ICS-CERT library on February 6, 2018.

GE Advisory

This advisory describes an improper authentication vulnerability in a number of GE healthcare products. The vulnerability was reported by Scott Erven. GE has produced updates for all but three of the products that mitigate the vulnerability. There is no indication that Erven has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit this vulnerability to bypass authentication and gain access to the affected devices.

Interestingly, these vulnerabilities were reported to ICS-CERT in 2015 and advisories were subsequently issued (SB 15-222) by US-CERT. Forbes reported on the issue in 2015 and a presentation was made by Erven at Shakacon (see Dale Peterson’s Tweet) about the issues the same year. I cannot understand why a secure posting about the vulnerability was justified or why it took almost three years to fix the problem. Oh, the FDA has not published anything about these vulnerabilities on the Device Safety page (either for 2015 or 2018). BTW: Rocky and Bullwinkle fans, take a close look at the URL for the 2015 Safety Communications page.

PI Web API Advisory

This advisory describes two vulnerabilities in the OSIsoft Web API. OSIsoft is self-reporting these vulnerabilities. They have provided an update that mitigates the vulnerability.

The two reported vulnerabilities are:

• Permissions, privileges and access controls - CVE-2018-7500; and

• Improper neutralization of input during web page generation - CVE-2018-7508

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow escalated privileges and may allow remote code execution.

PI Vision Advisory

This advisory describes two vulnerabilities in the OSIsoft PI Vision. These vulnerabilities are self-reported. OSIsoft has an update available that mitigates the vulnerabilities.

The two reported vulnerabilities are:

• Protection mechanism failure - CVE-2018-7504; and

• Information exposure - CVE-2018-7496

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow remote code execution and expose information.

NOTE: I reported on these vulnerabilities last month when OSIsoft first published their advisory. The OSIsoft alert notes that there are two separate information exposure vulnerabilities, but OSIsoft does not publish CVE numbers so it is not easy to tell if there is an actual discrepancy here.

PI Data Archive Advisory

This advisory describes three vulnerabilities in the OSIsoft PI Data Archive. These vulnerabilities are being self-reported by OSIsoft. They have an update available that mitigates the vulnerabilities.

The three reported vulnerabilities are:

• Deserialization of untrusted data - CVE-2018-752;

• Incorrect default permissions - CVE-2018-7533; and

• Improper input validation - CVE-2018-7531

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to cause loss of network access to the device or allow escalated privileges that may result in gaining full control of the PI Data Archive server.

NOTE: I reported on these vulnerabilities last month when OSIsoft first published their advisory.

Omron Advisory

This advisory describes seven vulnerabilities in the Omron CX-Supervisor. The vulnerabilities were reported by rgod via the Zero Day Initiative. Omron has released a new version that mitigates the vulnerability. There is no indication that rgod has been provided an opportunity to verify the efficacy of the fix.

The seven reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2018-7513;

• Use after free - CVE-2018-7521;

• Access of uninitialized pointer - CVE-2018-7515;

• Double free - CVE-2018-7523;

• Out-of-bounds write - CVE-2018-7517;

• Untrusted pointer dereference - CVE-2018-7525; and

• Heap based buffer overflow - CVE-2018-7519

ICS-CERT reports that a relatively low-skilled attacker with uncharacterized access could exploit these vulnerabilities to allow remote code execution.