Public ICS Disclosures – Week of 06-16-18

This week we have a vendor disclosed vulnerability from ABB, a third-party vulnerability disclosed by Rockwell and an update on a WannaCry advisory from Siemens.

ABB Vulnerability

ABB published an advisory for a DLL hijacking vulnerability in their  Pluto Manager. The vulnerability was reported by Herman Groeneveld. ABB has a new version that mitigates the vulnerability. There is no indication that Groeneveld has been provided an opportunity to verify the efficacy of the fix.

ABB reports that a social engineering attack would be required to get an authorized user to load a malicious DLL. A successful exploit would allow the attacker to run malicious code.

Rockwell 3^rd Party Vulnerabilities

Rockwell published an advisory for vulnerabilities in their Allen-Bradley® Stratix® 5950 Security Appliance due to five reported vulnerabilities in the Cisco Adaptive Security Appliance (ASA) Software. Rockwell has provided a set of work arounds for one of the vulnerabilities and a link to the Cisco SNORT for another. No mitigations are currently available for the other three. Future software updates are planned.

The five reported vulnerabilities are:

• Flow Creation Denial of Service Vulnerability - CVE-2018-0228;

• Virtual Private Network SSL Client Certificate Bypass Vulnerability - CVE-2018-0227;

• Transport Layer Security Denial of Service Vulnerability - CVE-2018-0231;

• Application Layer Protocol Inspection Denial of Service Vulnerabilities - CVE-2018-0240; and

• Web Services Denial of Service - CVE-2018-0296

As will all 3^rd party vulnerability reports, the open question is how many other ICS vendors are using the Cisco ASA software?

Siemens WannaCry Update

Siemens updated their advisory for the WannaCry vulnerability in their Molecular Diagnostics

Products from Siemens Healthineers. The original advisory was linked to in the 3^rd update to the ICS-CERT WannaCry Alert in May of last year. The update notes that “Healthineers customer service engineers have been deploying fixes to affected systems”.

Depressing News

Any time that I start to feel hopeful about issues related to control system cybersecurity (I am an optimist by nature) I go to the Zero Day Initiative web site and look at the list of ‘Upcoming Advisories’ curated by that organization. The number of control system names in the vendor column is daunting to say the least.