ICS Advisory and 2 Medical Device Advisories

Yesterday the DHS NCCIC-ICS published a controls system security advisory for products from WECON and two medical device security advisories for products from Change Healthcare and Carestream.

WECON Advisory

This advisory describes four vulnerabilities in the WECON PI Studio, a HMI project programmer. The vulnerabilities were reported by Mat Powell and Natnael Samson (Natti) via the Zero Day Initiative. WECON is working on mitigation measures.

The four reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2018-14818;

• Out-of-bounds write - CVE-2018-14810;

• Information exposure through XML external entity reference - CVE-2018-17889; and

• Out-of-bounds read - CVE-2018-14814

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow remote code execution, execution of code in the context of an administrator, read past the end of an allocated object or allow an attacker to disclose sensitive information under the context of administrator.

Change Healthcare Advisory

This advisory describes an information exposure through error message vulnerability in the Change Healthcare PeerVue Web Server. The vulnerability was reported by Dan Regalado of Zingbox. Change Healthcare has a patch available to mitigate the vulnerability. There is no indication that Regalado has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker on an adjacent network could exploit the vulnerability to allow an attacker to obtain technical information about the PeerVue Web Server, allowing an attacker to target a system for attack.

Carestream Advisory

This advisory describes an information exposure through an error message vulnerability in the Carestream Vue RIS, a web-based radiology information system. The vulnerability was reported by Dan Regalado of Zingbox. Carestream has a new version that mitigates the vulnerability and has provided workarounds. There is no indication that Regalado has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker with access to the network can exploit the vulnerability to passively read traffic.

NOTE: It is always interesting to see a researcher who has found an unusual vulnerability in one system to then look for the same type vulnerability in other related systems. It makes me wonder if developers reading these advisories (and of course they do, right?) ask themselves if their systems have the same vulnerability.