Public ICS Disclosures – Week of 12-08-18

This week we have five vendor notifications for products from ABB (2), OSIsoft, Eaton and Siemens and seven vendor updates of previously issued notifications from Siemens. It has been a busy week.

ABB Advisories

ABB published two advisories (here and here) for their Pluto E2-Gate, ethernet gateway. The two vulnerabilities were reported by Nelson Berg (Applied Risk). ABB has provided generic workarounds for these vulnerabilities. There is no indication that Berg has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• No access control - CVE-2018-18995; and

• Cross-site scripting - CVE-2018-18997

OSIsoft Advisory

OSIsoft published an advisory for a cross-site scripting vulnerability in their PI Vision 2017. This vulnerability was self-reported. OSIsoft has a new version that mitigates the vulnerability.

Eaton Advisory

Eaton published an advisory for undisclosed vulnerabilities in their XP 503 Panel PC. These vulnerabilities are related to the use of Windows Embedded Standard 7 as the operating system. Eaton provides generic workarounds to mitigate the vulnerabilities.

Siemens Advisory

Siemens published an advisory for a missing authentication vulnerability in their TIM 1531 IRC Modules. This vulnerability is self-reported. Siemens provides specific workarounds to mitigate the vulnerability.

Siemens Updates

As part of the swath of 14 advisories and updates issued by Siemens this week there were three updates that were not covered by NCCIC-ICS updates. These were for vulnerabilities addressed in ICS-CERT generic alerts; NCCIC-ICS does not update these alerts for new information from the existing vendor list on the alert, the links on those alerts already take interested parties to this latest information.

• SSA-254686, v 1.2 - Foreshadow / L1 Terminal Fault Vulnerabilities in Industrial Products - Added solution for SIMATIC IPC627D, SIMATIC IPC677D, SIMATIC IPC827D;

• SSB-439005, v 1.1 - Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP - Added CVE-13053 and CVE-2018-19591;

• SSA-268644, v 1.3 - Spectre-NG (Variants 3a and 4) Vulnerabilities in Industrial Products - Added solution for SIMATIC IPC547G, SIMATIC IPC627D, SIMATIC IPC677D, SIMATIC IPC827D, SINUMERIK PCU 50.5;

There were three additional updates that I suspect that NCCIC-ICS could still pick-up in the coming week, or maybe not since the latest version of  each of these advisories essentially negated the correction made in the previous version.

• SSA-181018, v 1.1 and v 1.2 – NCCIC-ICS originally published their advisory for this vulnerability on June 14^th, 2018 – v 1.1: Added solution for RUGGEDCOM WiMAX; v 1.2: Update for RUGGEDCOM WiMAX not available, see mitigations; and

• SSA-293562, v 2.5 – NCCIC-ICS published their last update on these vulnerabilities (ICSA-17-129-02) on December 11^th, 2018 - Corrected download links, update for CP 1243-1 not available, see mitigations; and

Commentary

It is disconcerting to see that only one of the five original vendor notifications listed here this week (OISsoft) contains an actual mitigation for the reported vulnerabilities and only one of the workarounds (Siemens) provided for the other four provides specific actionable information (the port to be blocked). And the ‘advisory’ from Eaton is so generic and lacking in any specific information that it might not as well have been published. And then Siemens was forced to withdraw (without explanation) previously published mitigation measures for three of their advisories/updates. It was a sad week for public ICS disclosures.