5 Advisories and 2 Updates Published – 12-13-18

Today the DHS NCCIC-ICS published four control system security advisories for products from GE, Geutebruck, Siemens and Schneider and one medical device security advisory for products from Medtronic. They also published an update for a previously published control system security advisory for products from Siemens and a medical device security advisory for products from Philips.

GE Advisory

This advisory describes a path traversal vulnerability in the GE Mark VIe, EX2100e, EX2100e_Reg, and LS2100e distributed control systems. The vulnerability was reported by Can Demirel of Biznet Bilisim. GE has a new version that mitigates the vulnerability. There is no indication that Demirel has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to access system data, which could result in escalation of privilege and unauthorized access to the controller.

Geutebruck Advisory

This advisory describes an OS command injection vulnerability in the Geutebruck E2 Camera Series. The vulnerability was reported by Davy Douhine of RandoriSec. Geutebruck has a new version that mitigates the vulnerability. There is no indication that Douhine has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow a remote attacker to inject OS commands as root.

Siemens Advisory

This advisory describes two improper input validation vulnerabilities in the Siemens EN100 Ethernet Communication Module and SIPROTEC 5 relays. These vulnerabilities were reported by Victor Nikitin, Vladislav Suchkov, and Ilya Karpov from ScadaX. Siemens has updates for some of the affected products and continues to work on updates for the remaining products.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to cause a denial-of-service condition of the network functionality of the device, compromising the availability of the system.

NOTE: This advisory was published when Siemens published an update last Tuesday. The original Siemens advisory was reported here back in July, 2018.

Schneider Advisory

This advisory describes three vulnerabilities in the Schneider Electric GUIcon. The vulnerabilities were reported by mdm and rgod of 9SG Security Team. Schneider has a new version that mitigates the vulnerabilities. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Type confusion (2) - CVE-2018-7813 and CVE-2018-7815; and

• Stack-based buffer overflow - CVE-2018-7814

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerabilities to execute code with privileges within the context of the application.

NOTE: I briefly reported the Schneider advisory last Saturday.

Medtronic Advisory

This advisory describes a missing encryption of sensitive data vulnerability in the Medtronic 9790 CareLink Programmer, 2090 CareLink Programmer, 29901 Encore Programmer; programmers for Medtronic cardiac devices. The vulnerabilities were reported by Researchers Billy Rios and Jonathan Butts of Whitescope LLC. Medtronic has provided generic workarounds for two of the devices and reports that the 9970 is out of support and all use should be discontinued. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an relatively low-skilled attacker with physical access to the devices could exploit the vulnerability to access PHI or PII stored on the device.

Siemens Update

This update provides additional information for an advisory that was originally published on March 29^th, 2018 and updated on April 24^th, 2018, June 12^th, 2018 and again on November 14^th, 2018. The update provides updated affected version information and mitigation links for SIMATIC NET PC-Software.

NOTE: Siemens updated their advisory on Tuesday and then again today. This NCCIC-ICS update reflects the corrected information published by Siemens today.

Philips Update

This update provides additional information for an advisory that was originally published on March 27^th, 2018 and subsequently updated on December 11^th, 2018. The updated information includes revised affected version data.

More Missing Siemens Updates

Siemens published four more updates today; only one of those was addressed by NCCIC-ICS today. It will be a long blog post here on Saturday.