Tuesday, July 10, 2018

ICS-CERT Publishes 2 Advisory – Updates Spectre Alert


Today the DHS ICS-CERT published two control system security advisories for products from Schweitzer Engineering and Universal Robots. They also updated their alert for Meltdown/Spectre vulnerabilities.

Schweitzer Advisory


This advisory describes three vulnerabilities in the Schweitzer Compass and AcSELerator Architect products. The vulnerabilities were reported by Gjoko Krstic of Applied Risk. The latest versions of the software mitigate the vulnerability. There is no indication that Krstic has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Incorrect default permissions - CVE-2018-10604;
• Improper restriction of XML external entity reference - CVE-2018-10600; and
Uncontrolled resource consumption - CVE-2018-10608

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit this vulnerability with publicly available exploit code to allow modification/replacement of files within the Compass installation directory, disclosure of information, or denial of service.

Universal Robots Advisory


This advisory describes two vulnerabilities in the Universal Robots Robot Controllers. The vulnerabilities were reported by Davide Quarta, Mario Polino, Marcello Pogliani, and Stefano Zanero from Politecnico di Milano as well as Federico Maggi with Trend Micro Inc. Universal Robots has described generic workarounds to mitigate the vulnerabilities. There is no indication that any of the researchers have been provided with an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Use of hard-coded credentials - CVE-2018-10633; and
• Missing authentication for critical function - CVE-2018-10635

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to run arbitrary code on the device.

Meltdown/Spectre Update


This update provides additional information on an alert that was originally published on January 11th, 2018 and updated on January 16th, 2018, January 17th, 2018, January 30th, 2018, February 20th, 2018, February 22nd, 2018, March 1st, 2018 and again on April 26th, 2018 (typo in ICS-CERT update says 4-27-18). The update provides a link to the new PEPPERL+FUCHS (ecom mobile devices) advisory that I discussed on Saturday.

No comments:

 
/* Use this with templates/template-twocol.html */