ICS-CERT Publishes 4 Advisories and 2 Siemens Updates

Today the DHS ICS-CERT published three control system security advisories for products from Delta Electronics, Siemens, Phoenix Contact, and Medtronic. They published on medical device security advisory for products from Medtronic. They also updated two previously issued control system security advisories for products from Siemens.

The three Siemens advisories/updates are the ones I mentioned in passing earlier this week.

Delta Advisory

This advisory describes a heap-based buffer overflow vulnerability in the Delta Industrial Automation TPEditor. The vulnerability was reported by ThePotato working with ZDI. Delta has released a new version that mitigates the vulnerability. There is no indication that the researcher was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to crash the accessed device, resulting in a buffer overflow condition that may allow remote code execution.

Siemens Advisory

This advisory describes an improper input validation vulnerability in the Siemens S7-400 CPU. The vulnerability is being self-reported. Siemens has updates that mitigate the vulnerability.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to cause a denial-of-service condition of the CPU. The CPU will remain in DEFECT mode until a manual restart is performed. The Siemens security advisory notes that:

“Successful exploitation requires an attacker to be able to send a specially crafted S7 communication packet to a communication interface of the CPU. This includes Ethernet, PROFIBUS, and Multi Point Interfaces (MPI). No user interaction or privileges are required to exploit the security vulnerability”

Phoenix Contact Advisory

This advisory describes four vulnerabilities in the Phoenix FL SWITCH 3xxx/4xxx/48xx Series. The vulnerabilities were reported by  Vyacheslav Moskvin, Semen Sokolov, Evgeniy Druzhinin, Georgy Zaytsev and Ilya Karpov of Positive Technologies working through CERT@VDE. Newer firmware mitigates the vulnerability. There is no indication that any of the researchers have been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Command injection - CVE-2018-10730;

• Information exposure - CVE-2018-10729; and

• Stack-based buffer overflow (2) - CVE-2018-10728, and CVE-2018-10731

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow for remote code execution and information disclosure.

GE Advisory

This advisory describes an improper input validation vulnerability n the GE PACSystems, an industrial Internet controller. The vulnerability was reported by Younes Dragoni of Nozomi Networks. GE has released new firmware to mitigate the vulnerability. There is no indication that Dragoni was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to cause the device to reboot and change its state, causing the device to become unavailable.

Medtronic Advisory

This advisory describes a missing encryption of sensitive data vulnerability in the Medtronic N’Vision Clinician Programmer. The vulnerability was reported by Billy Rios of Whitescope LLC. Medtronic has mitigated the vulnerability.

ICS-CERT reports that a relatively low-skilled attacker with physical access to the card could exploit the vulnerability to access personal health information (PHI) or personally identifiable information (PII).

NOTE: This vulnerability was not reported on the FDA Medical Device Safety Communications page.

SIPROTEC Update #1

This update provides additional information on an advisory that was originally reported by ICS-CERT on May 19th, 2016 and updated on July 5^th, 2016. This update removes 7SD80 from list of affected products.

SIPROTEC Update #2

This update provides additional information on an advisory that was was originally published on March 8^th, 2018 and updated on April 19^th, 2018. This update provides updated effected version information and mitigation measures for 7SD80.