ICS-CERT Publishes 2 Advisories and 3 Updates

Today the DHS ICS-CERT published a control system security advisory for products from Schneider Electric and a medical device security advisory for products from BeaconMedaes. They also published updates to previously published advisories for products from Rockwell, Siemens, and Martem.

Schneider Advisory

This advisory describes three vulnerabilities in the Schneider Floating License Manager. The vulnerabilities are being self-reported. Schneider has new versions available to mitigate the vulnerabilities.

The three reported vulnerabilities are:

• Heap-based buffer overflow - CVE-2016-2177;

• Improper restriction of operations within bounds of a memory buffer - CVE-2016-10395; and

• URL redirection to an untrusted site - CVE-2017-5571

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to cause a denial of service, allow arbitrary execution of code with system level privileges, or send users to arbitrary websites.

BeaconMedaes Advisory

This advisory describes three vulnerabilities in the BeaconMedaes TotalAlert Scroll Medical Air Systems web application. These vulnerabilities were reported by Maxim Rupp. BeaconMedaes has a new version that mitigates the vulnerability, There is no indication that Rupp has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Improper access control - CVE-2018-7526;

• Insufficiently protected credential - CVE-2018-7518; and

• Unprotected storage of credentials - CVE-2018-7515;

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities  to view and potentially modify some device information and web application setup information, which does not include access to patient health information.

NOTE: These vulnerabilities were not reported on the FDA Medical Device Safety Communication site.

Rockwell Update

This update provides new information on an advisory that was originally published on May 10^th, 2018. The new information is supposed to be a link to the Rockwell security advisory [log-in required]. Unfortunately, that link is to the Rockwell Arena advisory (the ICS-CERT advisory for that was publicly published on the same day as the Factory Talk advisory that is currently being updated here. The correct link is https://rockwellautomation.custhelp.com/app/answers/detail/a_id/1073133.

Siemens Update

This update provides new information on an advisory that was originally published on May 8^th, 2018. The new information is a revision to the instructions as to how owner/operators should go about getting the updated version. It removed the original link to the ‘hotfix’ and substitutes the instruction to “Obtain the update via the local Siemens representative”.

Martem Update

This update provides new information on an advisory that was originally published on May 22^nd, 2018. The new information is links to the Martem advisories for vulnerability CVE-2018-10603 and CVE-2018-10607. A link to the Martem advisory for the third vulnerability was already included in the initial ICS-CERT advisory.