Public ICS Disclosures – Week of 04-14-18

This week we have four new vendor reported vulnerabilities (all from ABB) and two vendor updates of previously disclosed vulnerabilities (both from Siemens).

Industrial Products Spectre and Meltdown Update

This update provides new mitigation information (for SIMATIC IPC427D, SIMATIC IPC477D, SIMATIC FieldPG M4) on the previously reported Spectre and Meltdown vulnerabilities in Siemens Industrial Products. The Industrial Products vulnerability was reported in the ICS-CERT Meltdown and Spectre Vulnerabilities Alert, but ICS-CERT does not issue an update for multivendor products when listed product advisories are updated.

To be fair, the link in the latest version of the ICS-CERT alert does take you to the latest version of the Siemens advisory, but you have no way of knowing that new information is available just by looking at the ICS-CERT alert. This is an ongoing issue for all ICS-CERT alerts/advisories covering multiple vendor vulnerabilities.

SIMATIC Denial of Service Vulnerability Update

This update provides new mitigation information (for SIMATIC BATCH V8.0 and V8.1) on the previously reported denial of service vulnerability in the Siemens SIMATIC product line. I am not sure why ICS-CERT did not update their advisory for this product on Thursday when they updated the SIMATIC IPC advisory that was released the same day.

Relion 630 Series Advisory #1

This advisory describes a weak database encryption vulnerability in the ABB Relion 630 Series relays. This vulnerability was privately reported to ABB. ABB has no plans of corrective measures for this specific issue in the affected products.

ABB reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to delete or modify the database. Removing or modifying the database will make the device inoperable. ABB notes that the database contains cross reference data for faster indexing and searching and does not contain any secret information.

Relion 630 Series Advisory #2

This advisory describes a path traversal vulnerability in the IEC 61850 Manufacturing Message Specification (MMS) implementation in the ABB Relion 630 Series relays. The vulnerability was privately reported to ABB. ABB has new versions that mitigate the vulnerability.

ABB reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to retrieve any file on the device’s flash drive without authentication on the device or make the product inoperative by deleting files from the device’s flash drive.

It is not clear if this is a problem that is unique to ABB implementation of the IEC 61850 MMS or whether it may apply to other vendor devices as well.

Relion 630 Series Advisory #3

This advisory describes a terminal reboot vulnerability in the SPA communications protocol in the ABB Relion 630 Series relays. The vulnerability was privately reported to ABB. ABB has new versions that mitigate the vulnerability.

ABB reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to reboot the device resulting in a denial of service situation. During the reboot phase, the primary functionality of the device is not available.

PCM600 and SAB600 Advisory

This advisory describes multiple vulnerabilities in the Sentinel HASP Run‐time Environment in the ABB PCM600 and SAB600 substation management devices. These vulnerabilities are apparently the Gemalto license management problems reported by Kaspersky Labs; ABB is reporting only four of the fourteen Gemalto vulnerabilities. ABB has new versions that mitigate the vulnerabilities.

ABB reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to cause a buffer overflow. Buffer overflows may allow remote attackers to execute arbitrary code or to shut down the remote process (a denial of service).