This week we have five vendor notifications for products
from ABB (2), OSIsoft, Eaton and Siemens and seven vendor updates of previously
issued notifications from Siemens. It has been a busy week.
ABB Advisories
ABB published two advisories (here
and here)
for their Pluto E2-Gate, ethernet gateway. The two vulnerabilities were reported
by Nelson Berg (Applied Risk). ABB has provided generic workarounds for these
vulnerabilities. There is no indication that Berg has been provided an
opportunity to verify the efficacy of the fix.
The two reported vulnerabilities are:
• No access control - CVE-2018-18995;
and
• Cross-site scripting - CVE-2018-18997
OSIsoft Advisory
OSIsoft published an
advisory for a cross-site scripting vulnerability in their PI Vision 2017.
This vulnerability was self-reported. OSIsoft has a new version that mitigates
the vulnerability.
Eaton Advisory
Eaton published an
advisory for undisclosed vulnerabilities in their XP 503 Panel PC. These
vulnerabilities are related to the use of Windows Embedded Standard 7 as the
operating system. Eaton provides generic workarounds to mitigate the
vulnerabilities.
Siemens Advisory
Siemens published an
advisory for a missing authentication vulnerability in their TIM 1531 IRC
Modules. This vulnerability is self-reported. Siemens provides specific
workarounds to mitigate the vulnerability.
Siemens Updates
As part of the swath of 14 advisories and updates issued by
Siemens this week there were three updates that were not covered by NCCIC-ICS
updates. These were for vulnerabilities addressed in ICS-CERT generic alerts;
NCCIC-ICS does not update these alerts for new information from the existing
vendor list on the alert, the links on those alerts already take interested
parties to this latest information.
• SSA-254686,
v 1.2 - Foreshadow / L1 Terminal Fault Vulnerabilities in Industrial Products -
Added solution for SIMATIC IPC627D, SIMATIC IPC677D, SIMATIC IPC827D;
• SSB-439005,
v 1.1 - Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC
S7-1500 CPU 1518(F)-4 PN/DP MFP - Added CVE-13053 and CVE-2018-19591;
• SSA-268644,
v 1.3 - Spectre-NG (Variants 3a and 4) Vulnerabilities in Industrial Products -
Added solution for SIMATIC IPC547G, SIMATIC IPC627D, SIMATIC IPC677D, SIMATIC
IPC827D, SINUMERIK PCU 50.5;
There were three additional updates that I suspect that
NCCIC-ICS could still pick-up in the coming week, or maybe not since the latest
version of each of these advisories
essentially negated the correction made in the previous version.
• SSA-181018,
v 1.1 and v 1.2 – NCCIC-ICS originally
published their advisory for this vulnerability on June 14th,
2018 – v 1.1: Added solution for RUGGEDCOM WiMAX; v 1.2: Update for RUGGEDCOM
WiMAX not available, see mitigations; and
• SSA-293562,
v 2.5 – NCCIC-ICS published their last update on these vulnerabilities (ICSA-17-129-02)
on December
11th, 2018 - Corrected download links, update for CP 1243-1 not
available, see mitigations; and
Commentary
It is disconcerting to see that only one of the five original
vendor notifications listed here this week (OISsoft) contains an actual
mitigation for the reported vulnerabilities and only one of the workarounds
(Siemens) provided for the other four provides specific actionable information
(the port to be blocked). And the ‘advisory’ from Eaton is so generic and lacking
in any specific information that it might not as well have been published. And
then Siemens was forced to withdraw (without explanation) previously published
mitigation measures for three of their advisories/updates. It was a sad week
for public ICS disclosures.
Posts
No comments:
Post a Comment