ICS-CERT Publishes 3 Advisories and 1 Siemens Update

Today the DHS ICS-CERT published three control system security advisories for products from Rockwell Automation (2) and MatrikonOPC. The also updated a Siemens advisory; this is the update that I mentioned in passing last Thursday [changed link and day; 05-11-18, 0624 EDT]. The Factory Talk advisory was originally released to the HSIN ICS-CERT library on April 12, 2018.

Factory Talk Advisory

This advisory describes two vulnerabilities in the Rockwell Factory Talk Activation Manager. I described these vulnerabilities in a blog post on April 14^th. At that time I was not aware that ICS-CERT had published a restricted release advisory for the publicly available Rockwell notification (registration required). The ICS-CERT advisory does not mention the publicly available exploits for these vulnerabilities.

Arena Advisory

This advisory describes a use after free vulnerability in the Rockwell Arena simulation software for manufacturing. The vulnerability was reported by Ariele Caltabiano via the Zero Day Initiative. Rockwell has a newer version that mitigates the vulnerability. There is no indication that Caltabiano has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that an uncharacterized attacker with uncharacterized access could exploit this vulnerability to cause the software application to crash. The Rockwell notice explains that a social engineering attack would be required to get an authorized user to open a maliciously crafted Arena file to exploit this vulnerability.

MatrikonOPC Advisory

This advisory describes a files or directories accessible to external parties vulnerability in the MatrikonOPC Explorer. The vulnerability was reported by Ilya Kapov of Positive Technologies. MatrikonOPC has a patch available to mitigate the vulnerability. There is no indication that Kapov has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker with local access could exploit this vulnerability to transfer unauthorized files from the host system. The MatrikonOPC security notification reports that the vulnerability exists in the Microsoft MSXML libraries that have ‘known vulnerabilities’ but does not provide the version number being used. This raises the inevitable questions about whether or not all of the appropriate Microsoft patches have been applied. Again, this is an inevitable problem with the use of third party libraries.

Siemens Update

This update provides information on an advisory that was originally published on November 28th, 2017 and updated on April 5^th, 2018. This update provides mitigation measures for  SCALANCE M-800 and S615.