Public ICS Disclosures – Week of 08-04-18

This week we have four vendor advisories from Siemens (3) and ABB and an update of a vendor advisory from Siemens. There were also a number of BlackHat Briefings this week that touched on control system security issues.

Automation License Manager Advisory

Siemens reported two vulnerabilities in their Automation License Manager. The vulnerabilities were reported by Vladimir Dashchenko from Kaspersky Lab. Siemens has updates available to mitigate the vulnerabilities. There is no indication that Dashchenko was provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Directory traversal - CVE-2018-11455; and

• Network canning vulnerability - CVE-2018-11456

OpenSSL Advisory

Siemens reported an ‘open error state’ vulnerability in the OpenSSL implementation in a number of Siemens Industrial Products. This third-party software vulnerability is being self-reported by Siemens. Siemens has developed updates for some of the affected products (additional work is ongoing) to mitigate the vulnerability.

As always with third-party software issues, there is always the possibility that this vulnerability may affect control system products from other vendors.

SIMATIC Advisory

Siemens reported two improper file permission vulnerabilities in their SIMATIC Step 7 and WinCC products. The vulnerabilities were reported by Younes Dragoni from Nozomi Networks. Siemens has updates for some of the affected products and has reported work arounds.

NOTE: Siemens notes that this vulnerability was coordinated through ICS-CERT so we will probably see this reported by ICS-CERT next week.

ABB Advisory

ABB reported (registration required) an  LDAP authentication vulnerability in their eSOMS product. The vulnerability was reported by an undisclosed researcher. ABB is working on a new version to mitigate the vulnerability and has reported a work around.

Siemens Update

Siemens updated their Spectre/Meltdown advisory. This advisory was last updated on June 26^th, 2018. This latest update adds update information for SIMATIC IPC6x7C, SIMAITC IPC8x7C, SIMOTION P320-4S, and SIMOTION P320-4E.

BlackHat Briefings

The latest BlackHat conference was held in Las Vegas this week. There were six briefings that the conference web site identifies as touching on Smart Grid/Industrial Security. There were:

TRITON: How it Disrupted Safety Systems and Changed the Threat Landscape of Industrial Control Systems, Forever

Speaker: Andrea Carcano, Marina Krotofil, Younes Dragoni

White Paper - http://i.blackhat.com/us-18/Wed-August-8/us-18-Carcano-TRITON-How-It-Disrupted-Safety-Systems-And-Changed-The-Threat-Landscape-Of-Industrial-Control-Systems-Forever-wp.pdf

Deep Dive into an ICS Firewall, Looking for the Fire Hole

Speaker: Benoit Camredon, Julien Lenoir

Breaking the IIoT: Hacking industrial Control Gateways

Speaker: Thomas Roth

Snooping on Cellular Gateways and Their Critical Role in ICS

Speaker: Justin Shattuck

Presentation Slides - http://i.blackhat.com/us-18/Thu-August-9/us-18-Shattuck-Snooping-on-Cellular-Gateways-and-Their-Critical-Role-in-ICS.pdf

Outsmarting the Smart City

Speaker: Daniel Crowley, Jennifer Savage, Mauro Paredes

White Paper - http://i.blackhat.com/us-18/Thu-August-9/us-18-Crowley-Outsmarting-The-Smart-City-wp.pdf

SirenJack: Cracking a 'Secure' Emergency Warning Siren System

Speaker: Balint Seeber