This week we have a vendor update of a previously released
advisory, a coordinated disclosure of multiple vulnerabilities in a medical
device, and an exploit for a previously disclosed vulnerability. In passing,
there was a new
advisory from Schneider (U.Motion Builder) that was released on Thursday
that may yet be reported by ICS-CERT.
Spectre Update
This week Siemens updated their
advisory on the Spectre vulnerabilities in Industrial Products to add
mitigation measures for:
• RUGGEDCOM APE;
• RUGGEDCOM VPE1400;
• SINEMA Remote Connect;
• SIMATIC S7-1518-4 PN/DP ODK;
• SIMATIC S7-1518F-4 PN/DP ODK; and
• SIMATIC HMI Panels
ICS-CERT does not update their multi-vendor advisories to
reflect vendor updates as the links provided generally point to the new
information. From an ICS-CERT administrative point of view, this makes a
certain amount of sense.
Siemens also updated their general
Spectre advisory to reflect information on the next
generation Spectre. It will be sometime yet before the Spectre NG will be
reflected in the product specific advisories as we are still waiting on the
chip-level mitigations to be produced.
Medical Device Disclosure
This week Talos published three reports (here,
here
and here)
of vulnerabilities in the Natus Xltek
NeuroWorks software; these are coordinated disclosures. The three reported
vulnerabilities are:
• Invalid key entry denial of
service - CVE-2017-2860;
• Deserialization denial of service
- CVE-2017-2852; and
• Traversal denial of service - CVE-2017-2858
NOTE: These have not been reported on the FDA
Medical Device Safety Communications page.
Siemens Exploit
This week we have another exploit report from t4rkd3vilz on
Exploit-DB.com. This one is for a Siemens SIMATIC S7-300 that was originally
reported in 2015. While ICS-CERT will note if a publicly available exploit
exists at the time of publication of their advisories, they do not generally
provide updates that report new exploits.
Posts
No comments:
Post a Comment