Today the DHS NCCIC-ICS published two control system security
advisories for products from Rockwell and GE. Additionally they published a
medical device security advisory for products from Philips. The Rockwell
advisory was originally published on the HSIN ICS-CERT library on November 6,
2018 to allow owner/operators to mitigate the vulnerability before it was made
public on the NCCIC-ICS site.
I also think that it is worth mentioning that yesterday Siemens
announced changes in the way they were publishing security advisories for their
products.
Rockwell Advisory
This advisory
describes a missing authentication for critical function vulnerability in the
Rockwell MicroLogix 1400 Controllers and 1756 ControlLogix Communications
Modules. The vulnerability was reported by David Noren. Rockwell reports that a
newer firmware version mitigates the vulnerability. There is no indication that
Noren was provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to allow an unauthenticated attacker
to modify system settings and cause a loss of communication between the device
and the system.
I briefly discussed the Rockwell
notice for this vulnerability in a post on November 10th, 2018.
GE Advisory
This advisory
describes an XXE vulnerability in the GE Proficy GDS service. The vulnerability
was reported by Vladimir Dashchenko of Kaspersky Lab. GE reports that a newer
version mitigates the vulnerability. There is no indication that Dashchenko has
been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit this vulnerability to allow an attacker to initiate an
OPC UA session and retrieve an arbitrary file.
The GE
security notification for this vulnerability notes that this is an
underlying OPC issue that was addressed in an OPC
security bulletin.
Philips Advisory
This advisory
describes an inadequate encryption strength vulnerability in the Philips Philips
HealthSuite Health Android App. The vulnerability was reported by an unnamed
(by Philips) security researcher. Philips has provided a generic workaround pending
a release of a new version next quarter.
NCCIC-ICS reports that a relatively low-skilled attacker
with physical access to the device to impact confidentiality and integrity of
the product.
Siemens Announcement
Yesterday Siemens announced
on TWITTER that they would be block publishing advisories for security
vulnerabilities on the 2nd Tuesday of every month. This policy has
obviously been in place for a couple of months (see here
for example). They did note that: “In case we have reasons to publish
advisories out of band (e.g. due to criticality), we will still do so.” We have
also recently
seen that.
There are some obvious plusses and minuses to this policy.
On a personal note, it makes for some long blog post for these 2nd
Tuesday releases. More realistically it helps owners with the making of
decisions about patching when all of the advisories for a product release at
the same time. Unfortunately, it may allow for longer effective 0-day openings
when an attacker discovers a vulnerability that has been ‘fixed’ by Siemens,
but the advisory has not been released. This is where we have to rely on Siemens’
judgement about criticality, but we have always had to do that anyway.
Posts
No comments:
Post a Comment