Today the DHS ICS-CERT published two control system security
advisories for products from Siemens.
SIPROTEC Advisory 1
This advisory
describes two vulnerabilities in the Siemens SIPROTEC 4, SIPROTEC Compact,
DIGSI 4, and EN100 Ethernet module. The vulnerabilities were reported by Ilya
Karpov and Dmitry Sklyarov from Positive Technologies. Siemens has provided
updates for a number of the affected products to mitigate the vulnerabilities.
There is no indication that the security researchers have been provided an
opportunity to verity the efficacy of the fix. The Siemens security advisory
provides a generic work around for the systems for which updates have yet to be
provided.
The two reported vulnerabilities are:
• Missing authentication for
critical function - CVE-2018-4840; and
• Inadequate encryption strength - CVE-2018-4839
ICS-CERT reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to upload a modified device
configuration that could overwrite access authorization passwords, or allow an
attacker to capture certain network traffic that could contain authorization
passwords.
SIPROTEC Advisory 2
This advisory
describes a missing authentication vulnerability in the Siemens SIPROTEC 4,
SIPROTEC Compact, and Reyrolle devices using the EN100 Ethernet communication
module extension. The vulnerabilities were reported by Ilya Karpov and Alexey
Stennikov from Positive Technologies. Siemens has developed a new version for
one of the affected products to mitigate the vulnerability, and generic
workarounds that can be used while Siemens develops the remainder of the
updates. There is no indication that the researchers have been provided an
opportunity to verify the efficacy of the fix.
ICS-CERT reports that a relatively low skilled attacker
could remotely exploit the vulnerability to either upgrade or downgrade the
firmware of the device, including downgrading to older versions with known
vulnerabilities.
Posts
No comments:
Post a Comment