Today the DHS ICS-CERT published three control system
security advisories for products from Delta Electronics, Siemens, Phoenix
Contact, and Medtronic. They published on medical device security advisory for
products from Medtronic. They also updated two previously issued control system
security advisories for products from Siemens.
The three Siemens advisories/updates are the ones I
mentioned in passing earlier this week.
Delta Advisory
This advisory
describes a heap-based buffer overflow vulnerability in the Delta Industrial
Automation TPEditor. The vulnerability was reported by ThePotato working with
ZDI. Delta has released a new version that mitigates the vulnerability. There
is no indication that the researcher was provided an opportunity to verify the
efficacy of the fix.
ICS-CERT reports that a relatively low skilled attacker could
remotely exploit the vulnerability to crash the accessed device, resulting in a
buffer overflow condition that may allow remote code execution.
Siemens Advisory
This advisory
describes an improper input validation vulnerability in the Siemens S7-400 CPU.
The vulnerability is being self-reported. Siemens has updates that mitigate the
vulnerability.
ICS-CERT reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to cause a denial-of-service condition
of the CPU. The CPU will remain in DEFECT mode until a manual restart is
performed. The Siemens security
advisory notes that:
“Successful exploitation requires
an attacker to be able to send a specially crafted S7 communication packet to a
communication interface of the CPU. This includes Ethernet, PROFIBUS, and Multi
Point Interfaces (MPI). No user interaction or privileges are required to
exploit the security vulnerability”
Phoenix Contact Advisory
This advisory
describes four vulnerabilities in the Phoenix FL SWITCH 3xxx/4xxx/48xx Series. The
vulnerabilities were reported by Vyacheslav Moskvin, Semen Sokolov, Evgeniy
Druzhinin, Georgy Zaytsev and Ilya Karpov of Positive Technologies working
through CERT@VDE. Newer firmware mitigates the vulnerability. There is no indication
that any of the researchers have been provided an opportunity to verify the
efficacy of the fix.
The four reported vulnerabilities are:
• Command injection - CVE-2018-10730;
• Information exposure - CVE-2018-10729;
and
• Stack-based buffer overflow (2) - CVE-2018-10728,
and CVE-2018-10731
ICS-CERT reports that a relatively low-skilled attacker
could remotely exploit the vulnerabilities to allow for remote code execution
and information disclosure.
GE Advisory
This advisory
describes an improper input validation vulnerability n the GE PACSystems, an
industrial Internet controller. The vulnerability was reported by Younes
Dragoni of Nozomi Networks. GE has released new firmware to mitigate the
vulnerability. There is no indication that Dragoni was provided an opportunity
to verify the efficacy of the fix.
ICS-CERT reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to cause the device to reboot and
change its state, causing the device to become unavailable.
Medtronic Advisory
This advisory
describes a missing encryption of sensitive data vulnerability in the Medtronic
N’Vision Clinician Programmer. The vulnerability was reported by Billy Rios of
Whitescope LLC. Medtronic has mitigated the vulnerability.
ICS-CERT reports that a relatively low-skilled attacker with
physical access to the card could exploit the vulnerability to access personal
health information (PHI) or personally identifiable information (PII).
NOTE: This vulnerability was not reported on the FDA Medical
Device Safety
Communications page.
SIPROTEC Update #1
This update
provides additional information on an advisory that was originally
reported by ICS-CERT on May 19th, 2016 and updated on July
5th, 2016. This update removes 7SD80 from list of affected
products.
SIPROTEC Update #2
This update
provides additional information on an advisory that was was originally
published on March 8th, 2018 and updated on April
19th, 2018. This update provides updated effected version
information and mitigation measures for 7SD80.
No comments:
Post a Comment