Wednesday, November 7, 2018

One Advisory and One Update Published

Yesterday the DHS NCCIC-ICS published a medical device security advisory for products from Roche. It also updated a control system security advisory for products from Schneider.

Roche Advisory

This advisory describes five vulnerabilities in Point of Care handheld medical devices. The vulnerabilities were reported by Niv Yehezkel of Medigate. Roche has generic work arounds to mitigate the vulnerabilities. There is no indication that Yehezkel has been provided an opportunity to verify the efficacy of the fix (okay in this case that is just boilerplate since there are no real mitigation measures to evaluate).

The five vulnerabilities are:

• Improper authentication - CVE-2018-18561;
• OS command injection - CVE-2018-18562;
• Unrestricted upload of a file with dangerous type - CVE-2018-18563; and
Improper access control (2) - CVE-2018-18564 and CVE-2018-18565

NCCIC-ICS reports that a relatively low-skilled attacker with adjacent access could exploit these vulnerabilities to allow an attacker to gain unauthorized access to modify system settings or execute arbitrary code.

NOTE: NCCIC-ICS has taken the unusual step of listing the vulnerable devices for each vulnerability. This is a very complicated advisory, particularly since there is no practical security advice provided.

Schneider Update

This update provides new information on an advisory that was previously published on November 1st, 2018. The new information includes:

• Removing the list of products that can load the affected software and pointed at the Schneider advisory instead (the latest version of that advisory adds new affected products);
Changing the wording about the availability of the software update.

NOTE: The revised Schneider advisory also adds the following generic mitigation measure:

“Physical controls should be in place so that no unauthorized person would have access to the ICS and safety controllers, peripheral equipment or the ICS and safety networks.”

No comments:

/* Use this with templates/template-twocol.html */