Wednesday, December 12, 2018

Two Advisories and Three Updates Published – 12-11-18


Yesterday the DHS NCCIC-ICS published two control system security advisories and updates to two previously published control system advisories; all for products from Siemens. They also published a medical device security advisory for products from Philips.

SINUMERIK Advisory


This advisory describes ten vulnerabilities in the Siemens SINUMERIK Controllers. The vulnerabilities were reported by Anton Kalinin, Danila Parnishchev, Dmitry Sklyar, Gleb Gritsai, Kirill Nesterov, Radu Motspan, and Sergey Sidorov from Kaspersky Lab. Siemens has updates for several of the products and provides work arounds for the others. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The ten reported vulnerabilities are:

• Heap-based buffer overflow - CVE-2018-11457;
• Integer overflow or wraparound - CVE-2018-11458;
• Protection mechanism failure (2) - CVE-2018-11459 and CVE-2018-11460;
• Permission, privileges and access control (2) - CVE-2018-11461 and CVE-2018-11462;
• Stack-based buffer overflow - CVE-2018-11463; and
Uncaught exception (3) - CVE-2018-11464, CVE-2018-11465 and CVE-2018-11466

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to cause denial-of-service conditions, privilege escalation, or allow remote code execution.

SINAMICS Advisory


This advisory describes an improper access control vulnerability in the Siemens SINAMICS PERFECT HARMONY GH180 (based upon a 3rd party vulnerability – McAffee Application and Change Control). The vulnerability was reported by McAffee. Siemens recommends installing a McAffee update to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with physical access could exploit the vulnerability to compromise the HMI, and by extension, the drive system.

PROFINET Update


This update provides new information on an advisory that This update provides additional information on an advisory that was originally published on May 9th, 2017 and updated on June 15, 2017,on July 25th, 2017, on August 17th, 2017, on October 10th, on November 14th,  November 28th, 2017January 18th, 2018, January 25th, 2018, January 27th, 2018, March 6th, 2018, May 3rd, 2018 and most recently on November 13th, 2018. The update provides new affected version information and mitigation measures for:

• SIMATIC ET 200MP IM155-5 PN HF; and
• SIRIUS ACT 3SU1 interface module PROFINET

Industrial Products Update


This update provides new information on an advisory that This update provides additional information on an advisory that was originally published on May 9th, 2017 and updated on June 15, 2017,on July 25th, 2017, on August 17th, 2017, on October 10th, on November 14th, November 28th, February 27th, 2018, May 3rd, 2018 May 15th, 2018, September 11th, 2018, October 9th, 2018 and most recently on November 13th, 2018. This update provides new mitigation information for SIMATIC ET 200MP IM155-5 PN HF.

Philips Update


This update provides new information on an advisory that was originally published on March 27th, 2018. This update slips the new version expected date from ‘December 2018’ to ‘Q1 of 2019’.

Other Siemens Updates


Yesterday Siemens published a total of three new advisories and seven updates. We may see more from NCCIC-ICS later this week, but some will not be specifically addressed by NCCIC-ICS. I will have further information on the remainder on Saturday.

No comments:

 
/* Use this with templates/template-twocol.html */