Friday, August 31, 2018

ICS-CERT Publishes Advisory and 2 Updates

Yesterday the DHS ICS-CERT published a control system security advisory for products from Philips. They also published updates for previous published advisory; one for control system products from Martem and one for medical device products from Philips.

Philips Advisory

This advisory describes 9 vulnerabilities in the Philips e-Alert Unit. The vulnerability is self-reported. Phillips has a version available that mitigates some of the vulnerabilities. A new version dealing with the remainder will be published by the end of the year.

The nine reported vulnerabilities are:

• Improper input validation - CVE-2018-8850;
• Improper neutralization of input during web page generation - CVE-2018-8846;
• Information exposure - CVE-2018-14803;
• Incorrect default permission - CVE-2018-8848;
• Cleartext transmission of sensitive information - CVE-2018-8842;
• Cross-site request forgery - CVE-2018-8844;
• Session fixation - CVE-2018-8852;
• Uncontrolled resource consumption - CVE-2018-8854; and
Use of hard-coded credentials - CVE-2018-8856

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit some of the vulnerabilities to allow attackers to provide unexpected input into the application, execute arbitrary code, display unit information, or potentially cause e-Alert to crash. The other vulnerabilities could only be exploited from the same subnet.

Martem Update

This update provides new information on an advisory that was previously published on May 22nd, 2018 and updated on May 24th, 2018. The new information includes:

• An additional vulnerability (incorrect default permissions);
• An additional risk consequence (full control over RTU);
• Updated affected version information; and
• Mitigation information for new vulnerability

Philips Update

This update provides new information on an advisory that was originally published on August 21st, 2018. The new information removes the ‘remotely exploitable’ language and notes that the “vulnerability is exploitable from within the same local device subnet”.

No comments:

/* Use this with templates/template-twocol.html */