Today the DHS ICS-CERT published two new control system
security advisories for products from Rockwell Automation and Delta Electronics.
They also updated a previously published control system security advisory for
products from Siemens.
Rockwell Advisory
This advisory
describes an improper input validation vulnerability in the Rockwell Allen-Bradley
CompactLogix and Compact GuardLogix controllers. The vulnerability was reported
by Alexey Perepechko of Applied Risk. Newer firmware versions mitigate the
vulnerability. There is no indication that Perepechko was provided an opportunity
to verify the efficacy of the fix.
ICS-CERT reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to effect in a denial-of-service
condition. As a result, the controller goes into a Major Non-Recoverable Fault
(MNRF) state, which is considered safe. However, recovery requires the user to
download the application program again.
The Rockwell advisory
notes that the vulnerability was publicly disclosed by ‘researchers’ at the ICS
Cyber Security Conference in Singapore on April 25, 2018.
Delta Advisory
This advisory
describes a stack-based buffer overflow vulnerability in the Delta Industrial
Automation COMMGR software. The vulnerability was reported by an anonymous researcher
via ZDI. Delta has a new version that mitigates the vulnerability. There is no
indication that the researcher was provided an opportunity to verify the
efficacy of the fix.
ICS-CERT reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to allow remote code execution, cause
the application to crash, or cause a denial-of-service condition in the
application server.
Siemens Update
This update
provides additional information on an advisory that was originally
published on May 9th, 2017 and updated
on June 15, 2017,on July
25th, 2017, on August
17th, 2017, on October
10th, 2017, November
14th, 2017, January
23rd, 2018, and most recently on February
27th, 2018. The update provides updated affected version
information and mitigation links for:
• Affected version for PCS 7; and
• Added update information for PCS V8.2
NOTE: I reported
on the Siemens update last weekend.
Posts
No comments:
Post a Comment