This week we have a vendor advisory and two updates of
previously issued advisories from Siemens. Additionally, OSIsoft released a new
version of their PI SDK 2018 that, according to the release
notes, addresses (among other issues) “potential security issues in PI SDK
code as identified by Synopsis Static Analysis (Coverity)”.
Siemens Advisory
This advisory
describes “service of the affected products listening on all of the host’s
network interfaces on either port 4884/TCP, 5885/TCP, or port 5886/TCP could
allow an attacker to either exfiltrate limited data from the system or to
execute code with Microsoft Windows user permissions”. The vulnerability was
reported by Chris Bellows and HD Moore from Atredis Partners and Austin Scott
from San Diego Gas and Electric. Siemens has provided new versions for some of
the affected products to mitigate the vulnerability and identified work arounds
for others. There is no indication that any of the researchers have been
provided an opportunity to verify the efficacy of the fix.
RAPIDLab Update
This update
provides new information on two vulnerabilities that was previously
reported by Siemens on June 12th, 2018. The new information is an
acknowledgement that the vulnerabilities were reported by Oran Avraham from
MEDIGATE. This advisory has not been reported by ICS-CERT.
Spectre and Meltdown Update
This update provides new information on the Spectre and Meltdown
vulnerabilities in Industrial Products that was last
updated on May 29th, 2018. The new information provides new version
and mitigation information for HMI Panels with SIMATIC WinCC V14.
Commentary
You have to give OSIsoft credit for turning to an outside
agency (Coverity)
to have static code analysis done on their product. This independent evaluation
is an example of going the extra mile in secure code development. What is not
clear, however, from the release notes on this product is whether or not the
code issues being corrected existed in the earlier versions of the development
kit.
If the corrected vulnerabilities were in earlier versions, I
would have preferred to see an enumeration of those vulnerabilities in a
security advisory so that users could conduct a proper risk assessment to see
if their situation necessitated an immediate upgrade to this newer version.
OSIsoft has a strong history of identifying and correcting security issues, so
I suspect that they felt that either the vulnerabilities were related just to
new code or that they vulnerabilities in the previous code were so minor as to
not require specific notification.
Posts
No comments:
Post a Comment