Public ICS Disclosures – Week of 10-06-18

This week there was a vendor vulnerability disclosure from Siemens. There were also four exploits published for products from Delta Industrial, WAGO, and Phoenix Contact (2). I am also going to take a quick look at some additional information on an NCCIC-ICS advisory for the Hangzhou XMeye P2P Cloud Server published this week.

Siemens Advisory

Siemens published an advisory on Foreshadow and L1 Terminal Fault (L1TF) in their industrial product line. These are another pair of speculative execution attack vulnerabilities based on processors used in the affected devices. More details on the generic vulnerabilities can be found here. Siemens has some bios updates available to mitigate the vulnerabilities (three separate CVE’s involved) and has provided workarounds for other products.

This advisory was published in the same batch that was covered extensively by NCCIC-ICS on Tuesday. I have no idea why this was not included unless NCCIC-ICS is lumping these new vulnerabilities in with the Spectre and Meltdown problem. Even if that is the case, this would then have deserved an update to their alert on those issues.

Delta Industrial Exploit

A Metasploit module was published for a previously identified stack-based buffer overflow vulnerability in the Delta Industrial COMMGR software.

WAGO Exploit

SecuNinja published an exploit for a cross-site scripting vulnerability in the WAGO 750-881 ethernet controller. There is no CVE number provided so it is possible that this is a 0-day vulnerability being exploited.

Phoenix Contact Exploit

Photubias published two exploits for previously identified vulnerabilities in the Phoenix Contact ILC PLC vis their WebVisit HMI page.

The three reported vulnerabilities covered in these exploits are:

• Cleartext storage of sensitive information - CVE-2016-8366;

• Authentication bypass issues - CVE-2016-8371; and

• Access to critical private variable via public method - CVE-2016-8380.

Hangzhou Advisory

Earlier this week NCCIC-ICS published their advisory for three vulnerabilities in the Hangzhou XMeye P2P Cloud Server. As is typical for these advisories NCCIC-ICS provided summary data on the issue. Since Hangzhou effectively did not respond to the coordination efforts of NCCIC-ICS there was no vendor information provided in the advisory. While NCCIC-ICS did acknowledge the vulnerability reporting effort of SEC Consult, they did not (as is their apparent policy) provide any link to the reporting agency’s information on the vulnerabilities.

Generally speaking this policy of not linking to supporting documentation from researchers is a mistake and, in this instance, it does a gross disservice to the affected community by severely understating the potential problems associated with the affected devices. In particular, it fails to explain that the vulnerabilities affect a large number of vendors that rebrand and sell the affected Hangzhou DVR products.

SEC Consult published an advisory on the vulnerabilities as well as a lengthy blog post. Brian Krebs also did a lengthy blog post on the topic.