ICS-CERT Publishes 3 Advisories and Updates 2

Yesterday the DHS ICS-CERT published three control system security advisories for products from Yokogawa, GE and Delta Industrial. They also updated one medical device security advisory for products from Silex and an industrial control system security advisory for products from Rockwell.

Yokogawa Advisory 

This advisory describes a hard-coded credential vulnerability in the Yokogawa STARDOM Controllers. The vulnerability was reported by VDLab of Venustech and Dongfang Electric Corporation. Yokogawa has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to gain access to the affected device, which could result in remote code execution.

GE Advisory 

This advisory describes three vulnerabilities in the GE MDS PulseNET and MDS PulseNET Enterprise products. The vulnerability was reported by Andrea Micalizzi (rgod). GE notes that the latest version mitigates these vulnerabilities. There is no indication that rgod was provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Improper authentication - CVE-2018-10611;

• Improper restriction of XML external entity reference - CVE-2018-10613; and

• Relative path traversal - CVE-2018-10615

ICS-CERT reports that that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow elevation of privilege and exfiltration of information on the host platform.

Delta Advisory

This advisory describes three vulnerabilities in the Delta Industrial Automation DOPSoft HMI editing software. The vulnerabilities were reported by B0nd @garagehackers via the Zero Day Initiative. Delta notes that the latest version mitigates the vulnerabilities. There is no indication that the researcher was provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Out of bounds read - CVE-2018-10623;

• Heap-based buffer overflow - CVE-2018-10617; and

• Stack-based buffer overflow - CVE-2018-10621

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to read sensitive information, execute arbitrary code, and/or crash the application.

Silex Update

This update provides additional information on an advisory that was originally reported on May 8^th, 2018. The update provides a link to a new version of GE MobileLink/GEH-SD-320AN.

Rockwell Update

This update provides additional information on an advisory that was originally published on May 10^th, 2018 and subsequently updated on May 24^th, 2018. The update corrects the link to the Rockwell advisory.