ICS-CERT Publishes 5 Advisories and 4 Updates

Yesterday the DHS ICS-CERT published five control system security advisories for products from Siemens (3) and Fuji electric (2). They also updated three previously published advisories for products from Siemens and the Meltdown/Spectre alert.

SCALANCE Advisory

This advisory describes an improper input validation vulnerability in the Siemens SCALANCE X Switches. The vulnerability is being self-reported. Siemens has updates available for two of the three affected products and has identified mitigation measures.

ICS-CERT reports that a relatively low-skilled attacker could use publicly available exploits to remotely exploit the vulnerability to cause a denial-of-service condition.

SIMATIC Advisory

This advisory describes an improper access control vulnerability in the Siemens SIMATIC WinCC OA HMI. The vulnerability is being self-reported. Siemens has an update available to mitigate the vulnerability.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to escalate their privileges in the context of the program.

TD Keypad Designer Advisory

This advisory describes an unprotected search path element vulnerability in the Siemens TD Keypad Designer. The vulnerability is being self-reported. Siemens has identified generic mitigation measures for the vulnerability.

ICS-CERT reports that a relatively low-skilled attacker with local access could exploit the vulnerability  to escalate their privileges.

V-Server Lite Advisory

This advisory describes a classic buffer overflow vulnerability in the Fuji V-Server Lite. The vulnerability was reported by Ariele Caltabiano (kimiya) via the Zero Day Initiative (ZDI). Fuji has a firmware update available to mitigate the vulnerability. There is no indication that Caltabiano has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to view sensitive information and disrupt the availability of the device.

V-Server Advisory

This advisory describes seven vulnerabilities in the Fuji V-Server. The vulnerabilities were reported by Steven Seeley (mr_me) of Source Incite via ZDI. Fuji has a new software version that mitigates the vulnerabilities. There is no indication that Seeley has been provided an opportunity to verify the efficacy of the fix.

The seven reported vulnerabilities are:

• Use after free - CVE-2018-14809;

• Untrusted pointer dereference - CVE-2018-14811;

• Heap-based buffer overflow - CVE-2018-14813;

• Out-of-bounds write - CVE-2018-14815;

• Integer underflow- CVE-2018-14817;

• Out-of-bounds read - CVE-2018-14819; and

• Stack-based buffer overflow - CVE-2018-14823

ICS-CERT reports that a relatively low-skilled attacker could use publicly available exploits to remotely exploit the vulnerabilities to allow for remote code execution on the device, causing a denial of service condition or information exposure.

Industrial Products Update

This update provides new information on an advisory that originally published on May 9^th, 2017 and updated on June 15, 2017,on July 25^th, 2017, on August 17^th, 2017, on October 10^th, on November 14^th, November 28^th, February 27^th, 2018, May 3^rd, 2018 and most recently on May 15^th, 2018. The new information includes revised affected versions data and mitigation measures for:

• SINAMICS DCP w. PN; and

• SINAMICS DCM w. PN

SIMATIC Update

This update provides new information on an advisory that was originally published on May 17^th, 2018. The new information includes additional mitigation measures that can be used.

OpenSSL Update

This update provides new information on an advisory that was originally published on August 14^th, 2018. The new information includes revised affected versions data and mitigation measures for WinCC OA.

Meltdown/Spectre Update

This update provides new information on an alert that was originally published on January 11^th, 2018 and updated on January 16^th, 2018, January 17^th, 2018, January 30^th, 2018, February 20^th, 2018, February 22^nd, 2018, March 1^st, 2018, and most recently on July 10^th, 2018. The new information includes a link to a new Meltdown/Spectre advisory from Siemens.

Note: While this newly added advisory from Siemens and another Siemens advisory on the older versions of Meltdown/Spectre address newer versions of the vulnerability, ICS-CERT has failed to provide any information (or links to information) about these new problems.