Yesterday the DHS NCCIC-ICS published a medical device
security advisory for products from Roche. It also updated a control system
security advisory for products from Schneider.
Roche Advisory
This advisory describes
five vulnerabilities in Point of Care handheld medical devices. The
vulnerabilities were reported by Niv Yehezkel of Medigate. Roche has generic
work arounds to mitigate the vulnerabilities. There is no indication that Yehezkel
has been provided an opportunity to verify the efficacy of the fix (okay in
this case that is just boilerplate since there are no real mitigation measures
to evaluate).
The five vulnerabilities are:
• Improper authentication - CVE-2018-18561;
• OS command injection - CVE-2018-18562;
• Unrestricted upload of a file
with dangerous type - CVE-2018-18563; and
• Improper access control (2) - CVE-2018-18564 and CVE-2018-18565
NCCIC-ICS reports that a relatively low-skilled attacker
with adjacent access could exploit these vulnerabilities to allow an attacker
to gain unauthorized access to modify system settings or execute arbitrary
code.
NOTE: NCCIC-ICS has taken the unusual step of listing the
vulnerable devices for each vulnerability. This is a very complicated advisory,
particularly since there is no practical security advice provided.
Schneider Update
This update
provides new information on an advisory that was previously
published on November 1st, 2018. The new information includes:
• Removing the list of products
that can load the affected software and pointed at the Schneider
advisory instead (the latest version of that advisory adds new affected products);
• Changing the wording about the availability of the
software update.
NOTE: The revised Schneider advisory also adds the following
generic mitigation measure:
“Physical controls should be in
place so that no unauthorized person would have access to the ICS and safety
controllers, peripheral equipment or the ICS and safety networks.”
Posts
No comments:
Post a Comment