Tuesday, May 15, 2018

ICS-CERT Publishes Advantech Advisory and Updates Siemens Advisory

Today the DHS ICS-CERT published a control system security advisory for products from Advantech. They also updated a previously issued advisory for products from Siemens.

Advantech Advisory

This advisory describes eleven vulnerabilities in the Advantech WebAccess products. The vulnerabilities were reported by Mat Powell and rgod, working with ZDI; Steven Seeley of Offensive Security, working with ZDI; and Donato Onofri and Simone Onofri of Business Integration Partners S.p.A. Advantech released a new version that mitigates the vulnerabilities. There is no indication that any of the researchers were provided an opportunity to verify the efficacy of the fix.

The eleven reported vulnerabilities are:

• SQL injection - CVE-2018-7501;
• Information exposure through directory listing - CVE-2018-10590;
• Improper authorization - CVE-2018-7505;
• Path traversal (2) - CVE-2018-7503, and CVE-2018-10589;
• Stack-based buffer overflow - CVE-2018-7499;
• Heap-based buffer overflow - CVE-2018-8845;
• Untrusted pointer dereference - CVE-2018-7497;
• External control of file name or path - CVE-2018-7495;
• Origin validation error - CVE-2018-10591; and
Improper privilege management - CVE-2018-8841

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerabilitie to disclose sensitive information from the host and/or target, execute arbitrary code, or delete files.

Siemens Update

This update provides additional information for an advisory that was originally published on May 9th, 2017 and updated on June 15, 2017,on July 25th, 2017, on August 17th, 2017, on October 10th, on November 14th, November 28th, February 27th, 2018 and most recently on May 3rd, 2018. The new information includes links to new versions for version 4.7 of:

• SINAMICS S120; and

The Siemens security advisory provided undated version information for the same products, but that was not reported in the ICS-CERT advisory

NOTE: Siemens also reported two other updated advisories (here and here) and a new advisory (here) today when they reported this update. Hopefully ICS-CERT will publish their versions later this week.

No comments:

/* Use this with templates/template-twocol.html */