ICS-CERT Publishes Advantech Advisory and Updates Siemens Advisory

Today the DHS ICS-CERT published a control system security advisory for products from Advantech. They also updated a previously issued advisory for products from Siemens.

Advantech Advisory

This advisory describes eleven vulnerabilities in the Advantech WebAccess products. The vulnerabilities were reported by Mat Powell and rgod, working with ZDI; Steven Seeley of Offensive Security, working with ZDI; and Donato Onofri and Simone Onofri of Business Integration Partners S.p.A. Advantech released a new version that mitigates the vulnerabilities. There is no indication that any of the researchers were provided an opportunity to verify the efficacy of the fix.

The eleven reported vulnerabilities are:

• SQL injection - CVE-2018-7501;

• Information exposure through directory listing - CVE-2018-10590;

• Improper authorization - CVE-2018-7505;

• Path traversal (2) - CVE-2018-7503, and CVE-2018-10589;

• Stack-based buffer overflow - CVE-2018-7499;

• Heap-based buffer overflow - CVE-2018-8845;

• Untrusted pointer dereference - CVE-2018-7497;

• External control of file name or path - CVE-2018-7495;

• Origin validation error - CVE-2018-10591; and

• Improper privilege management - CVE-2018-8841

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerabilitie to disclose sensitive information from the host and/or target, execute arbitrary code, or delete files.

Siemens Update

This update provides additional information for an advisory that was originally published on May 9^th, 2017 and updated on June 15, 2017,on July 25^th, 2017, on August 17^th, 2017, on October 10^th, on November 14^th, November 28^th, February 27^th, 2018 and most recently on May 3^rd, 2018. The new information includes links to new versions for version 4.7 of:

• SINAMICS G130;

• SINAMICS G150;

• SINAMICS S120; and

• SINAMICS S150

The Siemens security advisory provided undated version information for the same products, but that was not reported in the ICS-CERT advisory

NOTE: Siemens also reported two other updated advisories (here and here) and a new advisory (here) today when they reported this update. Hopefully ICS-CERT will publish their versions later this week.