ICS-CERT Publishes Advisory and Three Updates for Siemens Products

Today the DHS ICS-CERT published one new control system security advisory for products from Siemens. They also provided updates for three previously published Siemens control system security advisories.

Siemens Advisory

This advisory describes a file and directory information exposure vulnerability in the Siemens Simatic WinCC OA iOS App. The vulnerability was reported by Alexander Bolshev of IOActive and Ivan Yushkevich of Embedi. Siemens has identified workarounds to mitigate the vulnerability. There is no indication that either researcher was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that an uncharacterized attacker with physical access to the mobile device could exploit the vulnerability to read sensitive data located in the app’s directory.

SIMATIC Update

This update provides additional information on an advisory that was originally published on March 18^th, 2018. The update provides links to the updates for all of the affected products.

SIPROTEC Update #1

This update provides additional information on an advisory that was originally published on March 8^th, 2018. The ICS-CERT update provided a link to the updated version of the EN100 Ethernet module DNP3 variant with additional mitigation measures. The Siemens update also provided corrected affected version information on the same product.

SIPROTEC Update #2

This update provides additional information on an advisory that was originally published on March 8^th, 2018. The ICS-CERT update provided a link to the updated version of the EN100 Ethernet module DNP3 variant with additional mitigation measures. The Siemens update also provided corrected affected version information on the same product.