ICS-CERT Publishes 2 Advisories and 1 Update

Today the DHS ICS-CERT published a control system security advisory for products from ABB and a medical device security advisory for products from Philips. They also updated a medical device security advisory for products from Silex.

ABB Advisory

This advisory describes three vulnerabilities in the ABB IP Gateway. The vulnerabilities were reported by Maxim Rupp. ABB has a new version that mitigates the vulnerabilities. There is no indication that Rupp has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Improper authentication - CVE-2017-7931;

• Cross-site request forgery - CVE-2017-7906; and

• Unprotected storage of credentials - CVE-2017-7933

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to perform actions using administrative privileges.

NOTE: I reported these vulnerabilities nearly three weeks ago when ABB published their advisory.

Philips Advisory

This advisory describes three vulnerabilities in the Philips IntelliVue Patient Monitors and Avalon Fetal/Maternal Monitors. These vulnerabilities were reported by Oran Avraham of Medigate. Philips has provided mitigation suggestions to use until an update becomes available. There is no indication that Avraham has been provided an opportunity to verify the efficacy of the interim measures.

The three reported vulnerabilities are:

• Improper authentication - CVE-2018-10597;

• Information exposure - CVE-2018-10599; and

• Stack-based buffer overflow - CVE-2018-10601

ICS-CERT reports that a highly-skilled attacker on the same local device subnet could exploit these vulnerabilities to read/write memory, and/or induce a denial of service through a system restart, thus potentially leading to a delay in diagnosis and treatment of patients.

NOTE: These vulnerabilities have not been reported on the FDA Medical Device Safety Communications page.

Silex Update

This update provides new information on an advisory that was originally reported on May 8^th, 2018 and updated on May 31^st, 2018. The update provides a link to a firmware update for SD-320AN (separate from GEH-SD-320AN) and a link to GE security information about the vulnerability.