Tuesday, March 27, 2018

ICS-CERT Publishes Two Advisories

Today the DHS ICS-CERT published a medical device security advisory for products from Phillips and a control system security advisory for products from Schneider electric.

Phillips Advisory

This advisory describes two vulnerabilities in the Phillips Alice 6 System sleep diagnostic system. The vulnerabilities are apparently self-reported. Phillips plans on producing a new product version in December that will mitigate the vulnerability.

The two reported vulnerabilities are:

• Improper authentication - CVE-2018-5451; and
Missing encryption of sensitive data - CVE-2018-7498

ICS-CERT reports that a relatively low-skilled attacker using publicly available exploits could remotely exploit the vulnerabilities to gain visibility to usernames/passwords and personal data. Insufficient encryption and cryptographic integrity checks can lead to altered, corrupted, or disclosed sensitive data. Disclosure of personal data can occur by replacing a trusted node with a malicious node.

NOTE: These vulnerabilities were not reported on the FDA Medical Device Safety Communications page.

Schneider Advisory

This advisory describes three vulnerabilities in the Schneider Modicon products. The vulnerabilities were separately reported by Nikita Maximov, Alexey Stennikov, and Kirill Chernyshov of Positive Technologies as well as Meng Leizi and Zhang Daoquan. Schneider has described generic work arounds to mitigate the vulnerabilities.

The three reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2018-7240;
• Use of hard-coded credentials - CVE-2018-7241; and
• Use of broken or risky cryptographic algorithm - CVE-2018-7242

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow a remote unauthorized attacker access to the file transfer service on the device, which could result in arbitrary code execution or malicious firmware installation.

NOTE: These are the Modicon FTP vulnerabilities that I reported on Saturday.

No comments:

/* Use this with templates/template-twocol.html */