ICS-CERT Publishes 2 Advisory – Updates Spectre Alert

Today the DHS ICS-CERT published two control system security advisories for products from Schweitzer Engineering and Universal Robots. They also updated their alert for Meltdown/Spectre vulnerabilities.

Schweitzer Advisory

This advisory describes three vulnerabilities in the Schweitzer Compass and AcSELerator Architect products. The vulnerabilities were reported by Gjoko Krstic of Applied Risk. The latest versions of the software mitigate the vulnerability. There is no indication that Krstic has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Incorrect default permissions - CVE-2018-10604;

• Improper restriction of XML external entity reference - CVE-2018-10600; and

• Uncontrolled resource consumption - CVE-2018-10608

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit this vulnerability with publicly available exploit code to allow modification/replacement of files within the Compass installation directory, disclosure of information, or denial of service.

Universal Robots Advisory

This advisory describes two vulnerabilities in the Universal Robots Robot Controllers. The vulnerabilities were reported by Davide Quarta, Mario Polino, Marcello Pogliani, and Stefano Zanero from Politecnico di Milano as well as Federico Maggi with Trend Micro Inc. Universal Robots has described generic workarounds to mitigate the vulnerabilities. There is no indication that any of the researchers have been provided with an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Use of hard-coded credentials - CVE-2018-10633; and

• Missing authentication for critical function - CVE-2018-10635

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to run arbitrary code on the device.

Meltdown/Spectre Update

This update provides additional information on an alert that was originally published on January 11^th, 2018 and updated on January 16^th, 2018, January 17^th, 2018, January 30^th, 2018, February 20^th, 2018, February 22^nd, 2018, March 1^st, 2018 and again on April 26^th, 2018 (typo in ICS-CERT update says 4-27-18). The update provides a link to the new PEPPERL+FUCHS (ecom mobile devices) advisory that I discussed on Saturday.