Saturday, March 3, 2018

Public ICS Disclosures – Week of 2-24-18

We have two new vendor security advisories this week from Schneider and Siemens. Siemens also published an update to their ultrasound products notice for the WannaCry vulnerability. I mentioned the Siemens advisory and update in passing earlier this week.

Schneider Advisory

This advisory describes 11 vulnerabilities in the Pelco Sarix Professional fixed IP video surveillance cameras. The vulnerabilities were variously reported by Deng Yongkai of NSFOCUS Security Team, Melih Berk Eksioglu of Biznet Bilisim A.S., and Gjoko Krstic of Zero Science Labs. Schneider has a new firmware version that mitigates the vulnerabilities. There is no indication that any of the researchers have been provided an opportunity to verify the efficacy of the fix.

The reported vulnerabilities include:

• Information disclosure - CVE-2018-7227;
• Authentication bypass (3) - CVE-2018-7228, CVE-2018-7229, and CVE-2018-7236;
• XML external entity vulnerability - CVE-2018-7230;
• Command execution vulnerability (4) - CVE-2018-7231, CVE-2018-7232, CVE-2018-7233, and CVE-2018-7235;
• Arbitrary file download - CVE-2018-7234; and
Arbitrary file delete - CVE-2018-7237

ICS-CERT has published some surveillance camera security advisories, but it has been hit and miss. My coverage here has also been hit and miss since I lost (paid) access to the IPVM web site; they are certainly the best information source for vulnerability information (and lots of other information) on video systems. Since Schneider owns Pelco, there will be specific coverage in these weekly posts as appropriate since Schneider publishes a list of advisories as they are issued. That does not mean that other video systems are vulnerability free, just that I have not seen their reports.

Siemens Advisory

This advisory describes 8 vulnerabilities in the Siemens SIMATIC industrial PCs. The vulnerabilities are due to the presence of one or more of three Intel products in the PCs; Intel reported on these vulnerabilities back in November, 2017. Siemens has identified a generic work around for the vulnerabilities and there is no indication that further mitigations are in the works.

The reported vulnerabilities include:

• Buffer overflow (5) - CVE-2017-5705, CVE-2017-5706, CVE-2017-5707, CVE-2017-5711, and CVE-2017-5712; and
• Privilege escalation (3) - CVE-2017-5708, y CVE-2017-5709, and CVE-2017-5710;

The underlying Intel problems are wide spread and relatively serious. The Siemens advisory does not comment on the Intel mitigation measures (required dual firmware and software updates) nor the Intel detection tool. I wonder if they are still checking to see if those mitigations are compatible with their products or whether they are working on updates that will work with the Intel mitigation measures. It is not like Siemens not to provide this type of information.

Siemens Update

This update describes new mitigation information for the WannaCry vulnerability in the Siemens Healthineers ultrasound products. Technically, this update was included (but certainly not mentioned) in the latest ICS-CERT update of their WannaCry Alert (dated June 13th, 2017) since the link for this product line automatically takes one to the latest version.

No comments:

/* Use this with templates/template-twocol.html */