ICS-CERT Publishes 2 Alerts and Updates Meltdown Alert

Today the DHS ICS-CERT published two control system security advisories for products from WECON Technology and Delta Electronics. They also updated their control system security alert for the Meltdown/Spectre vulnerabilities.

WECON Advisory

This advisory describes a stack-based buffer overflow vulnerability in the WECON LEVI Studio HMI Editor and PI Studio HMI Project Programmer. The vulnerability was reported by Sergey Zelenyuk of RVRT and Michael DePlante of Leahy Center for Digital Investigation via the Zero Day Initiative (ZDI). WECON has a new version that mitigates the vulnerability. There is no indication that either researcher was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow remote code execution.

Delta Advisory

This advisory describes multiple stack-based buffer overflows (on a single CVE) in the Delta PMSoft, a software development tool for motion controllers. The vulnerabilities were reported by Ghirmay Desta via ZDI. Delta has a new version available that mitigates the vulnerability.

ICS-CERT reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to cause the application to crash; stack-based buffer overflow conditions may allow arbitrary code execution.

Meltdown Update

This update provides new information on an alert that was originally published on January 11^th, 2018 and updated on January 16^th, 2018, January 17^th, 2018, January 30^th, 2018, February 20^th, 2018, February 22^nd, 2018 and again on March 1^st, 2018. The update provides a link to a new vendor report from:

• PHOENIX CONTACT

Not specifically mentioned in the update, but the current links also provide access to updated information from:

• Becton Dickinson;

• Siemens (which I mentioned Saturday); and

• Yokowgawa