ICS-CERT Publishes 2 Medical Advisories and 5 ICS Advisories

Yesterday the DHS ICS-CERT published two medical device control system advisories for products from Biosense Webster, Inc (BWI) and Abbott Laboratories. They also published five industrial control system advisories for products from Schneider Electric (2) and Rockwell Automation (3).

Stratix Industrial Managed Ethernet Switch Advisory

This advisory describes eight vulnerabilities in the Allen-Bradley Stratix Industrial Managed Ethernet Switch. The 3^rd party vulnerabilities were originally reported by Cisco in their IOS, IOS XE, and IOS XR Software. Rockwell specifically reports that only these 8 (of 22 Cisco reported) vulnerabilities apply to this product. Cisco has released new SNORT rules for some of the vulnerabilities and both Rockwell and Cisco have offered workarounds.

The eight reported vulnerabilities are:

• Improper input validation (4) - CVE-2018-0171, CVE-2018-0174, CVE-2018-0172, CVE-2018-0173;

• Resource management errors - CVE-2018-0156;

• PK-errors - CVE-2018-0155;

• Improper restriction of operations within bounds of a memory buffer - CVE-2018-0167; and

• Use of an externally controlled format string - CVE-2018-0175

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to effect a loss of availability, confidentiality, and/or integrity caused by memory exhaustion, module restart, information corruption, and/or information exposure.

Stratix and ArmorStratix Switch Advisory

This advisory describes eight vulnerabilities in the Allen-Bradley Stratix and ArmorStratix Switches. The 3^rd party vulnerabilities were originally reported by Cisco in their IOS, IOS XE, and IOS XR Software. Rockwell specifically reports that only these 8 (of 22 Cisco reported) vulnerabilities apply to this product (Note: not the same as 8 as above). Rockwell has provided updates for the affected products. Cisco has released new SNORT rules for some of the vulnerabilities and both Rockwell and Cisco have offered workarounds.

The eight reported vulnerabilities are:

• Improper input validation (6) - CVE-2018-0171, CVE-2018-0156, CVE-2018-0174, CVE-2018-0172, CVE-2018-0173, CVE-2018-0158, CVE-2018-0167;

• Improper restriction of operations within bounds of a memory buffer - CVE-2018-0167; and

• Use of an externally controlled format string - CVE-2018-0175

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to effect a loss of availability, confidentiality, and/or integrity caused by memory exhaustion, module restart, information corruption, and/or information exposure.

Stratix Services Router Advisory

This advisory describes four vulnerabilities in the Allen-Bradley Stratix Services Router. The 3^rd party vulnerabilities were originally reported by Cisco in their IOS, IOS XE, and IOS XR Software. Rockwell specifically reports

 that only these 4 (of 22 Cisco reported) vulnerabilities apply to this product. Rockwell has provided updates for the affected products. Cisco has released new SNORT rules for some of the vulnerabilities and both Rockwell and Cisco have offered workarounds.

The four reported vulnerabilities are:

• Improper input validation - CVE-2018-0158;

• Improper restriction of operations within bounds of a memory buffer (2) - CVE-2018-0151, and CVE-2018-0167; and

• Use of an externally controlled format string - CVE-2018-0175

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to effect a loss of availability, confidentiality, and/or integrity caused by memory exhaustion, module restart, information corruption, and/or information exposure.

Triconex Advisory

This advisory describes two vulnerabilities in the Schneider Triconex Tricon safety system. The vulnerabilities were discovered by ICS-CERT and Schneider during the investigation of the HatMan attack. Schneider has new firmware that mitigates the vulnerabilities.

The two reported vulnerabilities are:

• Improper restriction of operations within bounds of a memory buffer (2) - CVE-2018-8872 and CVE-2018-752.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to allow the attacker to misinform or control the Safety Instrumented System which could result in arbitrary code execution, system shutdown, or the compromise of safety systems. These vulnerabilities were exploited during the HatMan attack.

NOTE: Interestingly, Schneider has not yet published their security notification on these vulnerabilities.

InduSoft Web Studio Advisory

This advisory describes a buffer overflow vulnerability in the Schneider InduSoft Web Studio and InTouch Machine Edition products. The vulnerability was reported by Tenable. Schneider has new versions that mitigate vulnerabilities. There is no indication that Tenable has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker can remotely exploit the vulnerability to allow remote code execution that, under high privileges, could completely compromise the device.

Biosense Advisory

This advisory describes a large number of vulnerabilities in the BWI CARTO 3 System, a 3D cardiovascular mapping platform. The vulnerabilities were self-reported. BWI has a new version available that mitigates the vulnerabilities. These vulnerabilities have not been reported on the FDA device safety page.

ICS-CERT reports that an uncharacterized attacker with persistent physical access could exploit these vulnerabilities to access information stored in the device, including individually identified health information about patients, affect the integrity of CARTO 3, or deny availability of the device. If the CARTO 3 V4 System is networked, an attacker with persistent physical access may also be able to access other systems within the user’s network.

NOTE: The 12+ pages of vulnerability listing consist of Microsoft vulnerabilities listed back to 2012. There are publicly available exploits for many of these vulnerabilities.

Abbott Advisory

This advisory describes two vulnerabilities in the Abbott Implantable Cardioverter Defibrillator and Cardiac Synchronization Therapy Defibrillator. The vulnerabilities were reported by MedSec Holdings. Abbott has produced a firmware update to mitigate the vulnerability. There is no indication that MedSec Holdings has been provided an opportunity to verify the efficacy of the fix. These vulnerabilities have been reported by the FDA on their medical device safety page.

The two reported vulnerabilities are:

• Improper authentication - CVE-2017-12712; and

• Improper restriction of power consumption - CVE-2017-12714

ICS-CERT reports that an uncharacterized attacker could remotely exploit these vulnerabilities to gain unauthorized access to an ICD to issue commands, change settings, or otherwise interfere with the intended function of the ICD.