2 Advisories and 3 Updates Published – 02-07-19

Today the DHS NCCIC-ICS published two control system advisories for products from Siemens and three updates for products from Kunbus, Omron and Fuji electric.

EN100 Advisory

This advisory describes two improper input validation vulnerabilities in the Siemens EN100 Ethernet module. These vulnerabilities were reported by Victor Nikitin, Vladislav Suchkov, and Ilya Karpov from ScadaX. Siemens has provided updates for some of the affected products. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow an attacker to conduct a denial-of-service attack over the network.

NOTE: I briefly discussed this update on January 12^th.

SICAM Advisory

This advisory describes an uncaught exception vulnerability in the Siemens SICAM A8000 RTU. The vulnerability was reported by Emanuel Duss and Nicolas Heiniger from Compass Security. Siemens has updates that mitigate the vulnerability. There is no indication that the researchers have been offered an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow unauthenticated remote users to cause a denial-of-service condition on the web server of affected products.

NOTE: I briefly discussed this update on January 12^th.

Siemens Update – There are two advisories from the January 8^th tranche of vulnerability disclosures from Siemens. It will be interesting to see if they are processed by NCCIC-ICS before the next scheduled Siemens advisory disclosures on February 12^th.

Kunbus Update

This update provides additional information on an advisory that was originally published on February 5^th, 2019. The update includes:

• Adding two additional vulnerabilities (Information exposure through query strings in get request and clear-text storage of sensitive information); and

• Report that the two added vulnerabilities will be mitigated in the next version (end of the month).

Omron Update

This update provides additional information on an advisory that was originally published on January 17^th, 2019. The update includes:

• Adding two additional vulnerabilities (access of uninitialized pointer and out-of-bounds read); and

• Added Michael DePlante as a vulnerability reporter;

Fuji Update

This update provides additional information on an advisory that was originally published on September 27^th, 2018. The updates reports that a new version is available that mitigates the vulnerability.