Yesterday the DHS NCCIC-ICS published five control system
advisories for products from Kunbus, Siemens, WECON, Rockwell and AVEVA. They
also updated five previously published advisories for products from Siemens and
updated a medical device security advisory for products from BD.
Kunbus Advisory
This advisory
describes three vulnerabilities in the Kunbus PR100088 Modbus gateway. The
vulnerabilities were reported by Nicolas Merle of Applied Risk. Kunbus has a
new version that mitigates the vulnerability. There is no indication that Merle
has been provided an opportunity to verify the efficacy of the fix.
The three reported vulnerabilities are:
• Improper authentication - CVE-2019-6527;
• Missing authentication for
critical function - CVE-2019-6533; and
• Improper input validation - CVE-2019-6529
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to allow an attacker to achieve remote
code execution and/or cause a denial-of-service condition.
Siemens Advisory
This advisory
describes two improper input validation vulnerabilities in the Siemens SIMATIC
S7-1500 CPU. The vulnerabilities were reported by Georgy Zaytsev, Dmitry
Sklyarov, Druzhinin Evgeny, Ilya Karpov, and Maxim Goryachy of Positive
Technologies. Siemens has a new version that mitigates the vulnerability. There
is no indication that the researchers have been provided an opportunity to
verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to allow a denial of service condition
of the device.
WECON Advisory
This advisory
describes three vulnerabilities in the WECON LeviStudioU product. The vulnerabilities
were reported by Mat Powell, Ziad Badawi, and Natnael Samson via the Zero Day
Initiative. WECON has an updated version that mitigates the vulnerabilities.
There is no indication that the researchers have been provided an opportunity
to verify the efficacy of the fix.
The three reported vulnerabilities are:
• Heap-based buffer overflow - CVE-2019-6539;
• Stack-based buffer overflow - CVE-2019-6537;
and
• Memory corruption - CVE-2019-6541
NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access could exploit these vulnerabilities to allow
attackers to execute arbitrary code.
Rockwell Advisory
This advisory
describes an improper input validation vulnerability in the Rockwell EtherNet/IP
Web Server Modules. The vulnerability was reported by Tenable. Rockwell has
provided generic mitigations for the vulnerability. There is no indication that
Tenable has been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit this vulnerability to allow a remote attacker to deny
communication with Simple Network Management Protocol (SNMP) service.
AVEVA Advisory
This advisory
describes two vulnerabilities in the AVEVA InduSoft Web Studio and InTouch Edge
HMI products. The vulnerabilities were reported by Tenable. AVEVA has a new
version that mitigates the vulnerability. AVEVA reports
that Tenable has verified the efficacy of the fix.
The two reported vulnerabilities are:
• Missing authentication for
critical function - CVE-2019-6543; and
• Resource injection - CVE-2019-6545
NCCIC-ICS reports that a relatively low skilled attacker
could remotely exploit these vulnerabilities to allow a remote attacker to
execute an arbitrary process using a specially crafted database connection configuration
file.
SIMATIC PCS7 Update
This update
provides additional information on an advisory that was originally
published on March 29th, 2018 and updated on April
24th, 2018, June
12th, 2018, November
14th, 2018 and again on December
13th, 2018. This update provides corrected version numbers and
patch links for WinCC 7.2 and 7.4.
NOTE: I briefly
discussed this update on January 12th.
SIMATIC Update
This update
provides additional information on an advisory that was originally
published on March 20th, 2018 and updated on October
9th, 2018. This update provides corrected version numbers and
patch links for SIMATIC S7-300 incl. F and T.
NOTE: I briefly
discussed this update on January 12th.
Industrial Products Update
This update
provides additional information on an advisory that was that This update
provides additional information on an advisory that was originally
published on May 9th, 2017 and updated on
June 15, 2017,on July
25th, 2017, on August
17th, 2017, on October
10th, on November
14th, November
28th, February
27th, 2018, May
3rd, 2018 May
15th, 2018, September
11th, 2018, October
9th, 2018, November
13th, 2018 and most recently on December
11th, 2018. This update provides a link to an updated solution
for SIMATIC S7-300.
NOTE: I briefly
discussed this update on January 12th.
Discovery Service Update
This update
provides additional information on an advisory that was originally
published on 8-31-17 and updated on October
3rd, 2017 and again on November
30th, 2017. This update provides updated version information and
provides a link to the fix for SIMATIC NET PC Software.
NOTE: I briefly
discussed this update on January 12th.
PROFINET Update
This update
provides additional information on an advisory that was was originally
published on May 9th, 2017 and updated on
June 15, 2017,on July
25th, 2017, on August
17th, 2017, on October
10th, on November
14th, November
28th, 2017, January
18th, 2018, January
25th, 2018, January
27th, 2018, March
6th, 2018, May
3rd, 2018, November
13th, 2018 and most recently on December
11th, 2018. This update provides corrected information for CP
1243-1.
NOTE: I briefly
discussed this update on January 12th.
BD Update
This update
provides additional information on an advisory that was originally
published on January 29th, 2019. In the vulnerability overview
section of the advisory this update changes the words “The application…” to “The
system…”.
Commentary
On January 12th, 2019 I reported on the five advisories
and seven updates published by Siemens on December 8th. To date
NCCIC-ICS has only reported on one of the advisories and six of the updates. I
do not expect to see an update on the final Siemens update as it is for the
generic GNU/Linux vulnerabilities that is covered by an NCCIC-ICS alert. I am
beginning to suspect that NCCIC-ICS will not be reporting on the remaining
Siemens advisories. This may be because the vulnerability reports were not
coordinated through NCCIC-ICS. Or it may be that NCCIC-ICS was understaffed
during the recent Federal Funding Fiasco and has not yet had time to catch up
with all of the vulnerability reporting that occurred during that time.
As I gradually expand the list of web sites that I scan
weekly for my ‘Public ICS Disclosures’ blog post, it is becoming rather obvious
that NCCIC-ICS is not a central clearing house for ICS vulnerability
disclosures. That means that there is no central agency that is tracking (and
more importantly reporting on) vulnerabilities in the ICS sphere. With the
major ICS vendors this is probably not a major issue since they have relatively
robust reporting systems of their own. But for the second and third tier of
vendors, this is going to become a serious problem.
If/when Congress ever gets around to looking at the subject
on control system security, one of the issues that they are going to have to
look at (and hopefully rationally deal with) is the issue of vulnerability
coordination and disclosure. When/if they do that, I would hope that they would
consider codifying and expanding the role of NCCIC-ICS in that process. And, I
believe, that part of that expansion should be establishing NCCIC-ICS as the
public clearing house for vulnerability disclosure in the control system arena.
Posts
No comments:
Post a Comment