ICS-CERT Publishes Siemens Advisory

Yesterday the DHS ICS-CERT published a control system advisory for products from Siemens. These are the vulnerabilities I reported on Saturday.

This advisory describes eight vulnerabilities in the Siemens Building Technologies Products. These are Gemalto Sentinel LDK RTE vulnerabilities that have been previously reported by Siemens in other products. The vulnerabilities were reported by Sergey Temnikov and Vladimir Dashchenko from Kaspersky Labs. Siemens has a newer version of the License Management System (LMS) that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The eight reported vulnerabilities are:

• Stack-based buffer overflow (2) - CVE-2017-11496, CVE-2017-11497;

• Security features - CVE-2017-12819;

• Improper restriction of operations within the bounds of a memory buffer - CVE-2017-12821;

• Null pointer dereference - CVE-2017-11498;

• XML entity expansion - CVE-2017-12818;

• Heap-based buffer overflow - CVE-2017-12820; and

• Improper access control - CVE-2017-12822

Again, Siemens is not reporting all 14 of the Gemalto vulnerabilities. I would suspect that this is because the Siemens implementation of the license manager does not include the features affected by the other vulnerabilities.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow arbitrary code execution, NTLM-relay attacks, denial of service of the remote process, remote denial of service, and/or allow the administrative interface to be remotely enabled and disabled without authentication.

NOTE: Siemens announced that it had updated this advisory yesterday. The update includes a link to download the LMS.