Wednesday, February 6, 2019

5 Advisories and 6 Updates Published – 02-05-19


Yesterday the DHS NCCIC-ICS published five control system advisories for products from Kunbus, Siemens, WECON, Rockwell and AVEVA. They also updated five previously published advisories for products from Siemens and updated a medical device security advisory for products from BD.

Kunbus Advisory 


This advisory describes three vulnerabilities in the Kunbus PR100088 Modbus gateway. The vulnerabilities were reported by Nicolas Merle of Applied Risk. Kunbus has a new version that mitigates the vulnerability. There is no indication that Merle has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Improper authentication - CVE-2019-6527;
• Missing authentication for critical function - CVE-2019-6533; and
Improper input validation - CVE-2019-6529

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to achieve remote code execution and/or cause a denial-of-service condition.

Siemens Advisory 


This advisory describes two improper input validation vulnerabilities in the Siemens SIMATIC S7-1500 CPU. The vulnerabilities were reported by Georgy Zaytsev, Dmitry Sklyarov, Druzhinin Evgeny, Ilya Karpov, and Maxim Goryachy of Positive Technologies. Siemens has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow a denial of service condition of the device.

WECON Advisory 


This advisory describes three vulnerabilities in the WECON LeviStudioU product. The vulnerabilities were reported by Mat Powell, Ziad Badawi, and Natnael Samson via the Zero Day Initiative. WECON has an updated version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Heap-based buffer overflow - CVE-2019-6539;
• Stack-based buffer overflow - CVE-2019-6537; and
• Memory corruption - CVE-2019-6541

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit these vulnerabilities to allow attackers to execute arbitrary code.

Rockwell Advisory 


This advisory describes an improper input validation vulnerability in the Rockwell EtherNet/IP Web Server Modules. The vulnerability was reported by Tenable. Rockwell has provided generic mitigations for the vulnerability. There is no indication that Tenable has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow a remote attacker to deny communication with Simple Network Management Protocol (SNMP) service.

AVEVA Advisory


This advisory describes two vulnerabilities in the AVEVA InduSoft Web Studio and InTouch Edge HMI products. The vulnerabilities were reported by Tenable. AVEVA has a new version that mitigates the vulnerability. AVEVA reports that Tenable has verified the efficacy of the fix.

The two reported vulnerabilities are:

• Missing authentication for critical function - CVE-2019-6543; and
• Resource injection - CVE-2019-6545

NCCIC-ICS reports that a relatively low skilled attacker could remotely exploit these vulnerabilities to allow a remote attacker to execute an arbitrary process using a specially crafted database connection configuration file.

SIMATIC PCS7 Update 


This update provides additional information on an advisory that was originally published on March 29th, 2018 and updated on April 24th, 2018, June 12th, 2018, November 14th, 2018 and again on December 13th, 2018. This update provides corrected version numbers and patch links for WinCC 7.2 and 7.4.

NOTE: I briefly discussed this update on January 12th.

SIMATIC Update


This update provides additional information on an advisory that was originally published on March 20th, 2018 and updated on October 9th, 2018. This update provides corrected version numbers and patch links for SIMATIC S7-300 incl. F and T.

NOTE: I briefly discussed this update on January 12th.


Industrial Products Update


This update provides additional information on an advisory that was that This update provides additional information on an advisory that was originally published on May 9th, 2017 and updated on June 15, 2017,on July 25th, 2017, on August 17th, 2017, on October 10th, on November 14th, November 28th, February 27th, 2018, May 3rd, 2018 May 15th, 2018, September 11th, 2018, October 9th, 2018, November 13th, 2018 and most recently on December 11th, 2018. This update provides a link to an updated solution for SIMATIC S7-300.

NOTE: I briefly discussed this update on January 12th.

Discovery Service Update 


This update provides additional information on an advisory that was originally published on 8-31-17 and updated on October 3rd, 2017 and again on November 30th, 2017. This update provides updated version information and provides a link to the fix for SIMATIC NET PC Software.

NOTE: I briefly discussed this update on January 12th.

PROFINET Update


This update provides additional information on an advisory that was was originally published on May 9th, 2017 and updated on June 15, 2017,on July 25th, 2017, on August 17th, 2017, on October 10th, on November 14th,  November 28th, 2017January 18th, 2018, January 25th, 2018, January 27th, 2018, March 6th, 2018, May 3rd, 2018, November 13th, 2018 and most recently on December 11th, 2018. This update provides corrected information for CP 1243-1.

NOTE: I briefly discussed this update on January 12th.

BD Update


This update provides additional information on an advisory that was originally published on January 29th, 2019. In the vulnerability overview section of the advisory this update changes the words “The application…” to “The system…”.

Commentary


On January 12th, 2019 I reported on the five advisories and seven updates published by Siemens on December 8th. To date NCCIC-ICS has only reported on one of the advisories and six of the updates. I do not expect to see an update on the final Siemens update as it is for the generic GNU/Linux vulnerabilities that is covered by an NCCIC-ICS alert. I am beginning to suspect that NCCIC-ICS will not be reporting on the remaining Siemens advisories. This may be because the vulnerability reports were not coordinated through NCCIC-ICS. Or it may be that NCCIC-ICS was understaffed during the recent Federal Funding Fiasco and has not yet had time to catch up with all of the vulnerability reporting that occurred during that time.

As I gradually expand the list of web sites that I scan weekly for my ‘Public ICS Disclosures’ blog post, it is becoming rather obvious that NCCIC-ICS is not a central clearing house for ICS vulnerability disclosures. That means that there is no central agency that is tracking (and more importantly reporting on) vulnerabilities in the ICS sphere. With the major ICS vendors this is probably not a major issue since they have relatively robust reporting systems of their own. But for the second and third tier of vendors, this is going to become a serious problem.

If/when Congress ever gets around to looking at the subject on control system security, one of the issues that they are going to have to look at (and hopefully rationally deal with) is the issue of vulnerability coordination and disclosure. When/if they do that, I would hope that they would consider codifying and expanding the role of NCCIC-ICS in that process. And, I believe, that part of that expansion should be establishing NCCIC-ICS as the public clearing house for vulnerability disclosure in the control system arena.

No comments:

 
/* Use this with templates/template-twocol.html */