Today the DHS ICS-CERT published three control system
security advisories for products from Siemens. They also published a medical
device security advisory for products from Silex Technology and GE Healthcare.
The Siemens advisories are the ones that I
mentioned last week.
Siveillance App Advisory
This advisory
describes an improper certificate validation vulnerability in the Siemens Siveillance
VMS Video Mobile Apps (both Android and iOS versions). The vulnerabilities were
reported by Karsten Sohr from TZI Bremen. Siemens has new versions that
mitigate the vulnerability. There is no indication that the Sohr has been
provided an opportunity to verify the efficacy of the fix.
ICS-CERT reports that an uncharacterized attacker in a
privileged network position could remotely exploit the vulnerability to read
data from and write data to the encrypted communication channel between the app
and a server.
Siveillance Advisory
This advisory
describes a deserialization of untrusted data vulnerability in the Siemens Siveillance
VMS IP video management software. This vulnerability is being self-reported.
Siemens has produced updates that mitigate the vulnerability. The Siemens advisory
also recommends restricting network access to port 7474/TCP and port 9993/TCP.
ICS-CERT reports that an uncharacterized attacker could
remotely exploit the vulnerability to allow elevation of privileges and/or
cause a denial-of-service.
SINAMICS Advisory
This advisory
describes two separate improper input validation vulnerabilities in the Siemens
medium voltage SINAMICS Products. This vulnerability is being self-reported.
Siemens has updates available to mitigate the vulnerability.
ICS-CERT reports that a relatively low-skilled attacker
could remotely exploit this vulnerability to effect a denial-of-service
condition, resulting in a manual restart of the affected devices.
Silex Advisory
This advisory
describes two vulnerabilities in the Silex SX-500 and SD 320AN as well as
products integrated into GE Mobile Link. The vulnerabilities were reported by Eric
Evenchick of Atredis Partners; they have published proof of concept code for
the vulnerabilities here
and here.
A new firmware version is scheduled for release later this month that mitigates
the vulnerability. ICS-CERT reports that Evenchick has verified the efficacy of
the fix.
The two reported vulnerabilities are:
• Improper authentication - CVE-2018-6020;
and
• OS command injection - CVE-2018-6021
ICS-CERT reports that a relatively low skilled attacker using
the publicly available exploits could remotely exploit the vulnerability to allow
modification of system settings and remote code execution.
NOTE: This vulnerability was not reported on the FDA
Medical Device Safety Communications web site.
Posts
No comments:
Post a Comment