ICS-CERT Publishes Four Advisories

Yesterday the DHS ICS-CERT published three control system security advisories for products from Siemens (2) and WAGO as well as a medical device security advisory for products from Phillips.

SIMATIC Advisory

This advisory describes an improper input validation vulnerability in the Siemens SIMATIC product line. The vulnerability was reported by Vladimir Dashchenko from Kaspersky Lab and independent researcher cdev1. A new version is available for one product that mitigates the vulnerability and activating an existing control mitigates the vulnerability in others. There is no indication that either of the researchers have been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to cause a denial-of-service condition on the remote and local communication functionality of the affected products. A system reboot is required to recover.

TIM 1531 Advisory

This advisory describes an incorrect implementation of an algorithm vulnerability in the Siemens TIM 1531 IRC communications modules. The vulnerability is self-reported. A new version is available that mitigates the vulnerability.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to enter a denial-of-service condition, or allow the attacker to read and manipulate data and configuration settings of the affected device.

WAGO Advisory

This advisory describes an improper shutdown or release vulnerability in the WAGO 750 Series PLC. The vulnerability was reported by Younes Dragoni of Nozomi Networks. WAGO has released new firmware that mitigates the vulnerability. There is no indication that Dragoni has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow a denial-of-service condition affecting the ability of the device to establish connections to commissioning and service software tools. The WAGO security advisory notes that the vulnerability only affects the WAGO communication via WAGO Ethernet TCP/IP driver and that communications are still possible via the 3S TCP/IP level 2 driver and WAGO Service

Communication over TCP/IP.

Phillips Advisory

This advisory describes a large (indeterminate) number of vulnerabilities in the Phillips  iSite and IntelliSpace picture archiving communications systems (PACS). The vulnerabilities are self-reported. Phillips has provided multiple options for mitigating up to 99.9% of the vulnerabilities.

The reported vulnerabilities include:

• Improper restrictions of operations within the bounds of a memory buffer (#?);

• Code/source code vulnerabilities (at least 18);

• Information exposure (#?);

• Improper control of generation of code (#?);

• Weaknesses in OWASP to ten (at least 6);

• Improper restriction of XML external entity reference;

• Other 3^rd party component vulnerabilities (#?)

ICS-CERT reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to provide unexpected input into the application, execute arbitrary code, alter the intended control flow of the system, access sensitive information, or potentially cause a system crash.

Comment: This is a really flakey advisory and it certainly does not appear to be a problem at ICS-CERT. I am pretty sure that the authors of this advisory wanted to say that: “These products are just screwed up.” Unfortunately, that type of broad characterization is even less helpful than this report. Oh, and Phillips? The comment on their product security web page is priceless: “Philips will continue to add cybersecurity vulnerability remediation improvements through our Secure Development Lifecycle (SDL) as threats continue.” At least they did self-report this fiasco.

NOTE: These vulnerabilities were not reported on the FDA Medical Device Safety Communications page.

Missing Siemens Update

On Tuesday (the same day that Siemens announced the two advisories above) Siemens announced that they had updated their advisory on the improper input validation vulnerability in the Siemens SIMATIC, SINUMERIK, and PROFINET IO products reported last week by ICS-CERT. The update removed a product from the affected product list.