Yesterday the DHS NCCIC-ICS published six control system
security advisories for products from Siemens (5) and OSIsoft. They also
updated seven previously published advisories for products from Siemens.
CP1604 Advisory
This advisory describes
three vulnerabilities in the Siemens CP1604 and CP1616 products. These vulnerabilities
were self-reported. Siemens has a new version that mitigates the
vulnerabilities.
The three reported vulnerabilities are:
• Clear-text transmission of
sensitive information - CVE-2018-13808;
• Cross-site scripting - CVE-2018-13809;
and
• Cross-site request forgery - CVE-2018-13810
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to allow a denial-of-service
condition and information exposure. An attacker could inject arbitrary
JavaScript in a specially crafted URL request to execute on unsuspecting user’s
systems, allowing an attacker to trigger actions via the web interface that a
legitimate user is allowed to perform.
NOTE: I briefly
discussed this advisory on January 12th.
Intel Active Management Advisory
This advisory describes
three vulnerabilities in the Intel Active Management Technology (AMT) of Siemens
SIMATIC IPCs. The vulnerabilities are self-reported. These vulnerabilities
exist in third-party
(Intel) firmware on the affected PCs. Siemens has firmware updates that
mitigate the vulnerabilities.
The three reported vulnerabilities are:
• Cryptographic issues - CVE-2018-3616;
• Improper restrictions of
operations within the bounds of a memory buffer - CVE-2018-3657; and
• Resource management errors - CVE-2018-3658
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to allow arbitrary code execution,
a partial denial-of-service condition, or information disclosure. The Siemens
advisory reports that:
“The security vulnerability could
be exploited by an attacker with network access to the affected systems. Successful
exploitation requires no system privileges and no user interaction.”
NOTE: These vulnerabilities could be found on a large number
of industrial PC’s not related to the Siemens products in this advisory.
SIMATIC Advisory
This advisory describes
an improper input validation vulnerability in the Siemens SIMATIC S7-300 CPU.
The vulnerability was reported by the China Industrial Control Systems Cyber
Emergency Response Team (CIC). Siemens has a firmware update that mitigates the
vulnerability. There is no indication that CIC has been provided an opportunity
to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to all the attacker to crash the device being accessed, resulting in
a denial-of-service condition.
NOTE: I briefly
discussed this advisory on January 12th.
Licensing Software Advisory
This advisory describes
three vulnerabilities in the Siemens WibuKey Digital Rights Management (DRM)
used with SICAM 230. These vulnerabilities are self-reported. Siemens has
provided links to a third-party update to mitigate the vulnerabilities. These
vulnerabilities were originally reported in the WibuKey product in December by
Talos; see the links on the CVE numbers for the Talos reports.
The three reported vulnerabilities are:
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerabilities to allow information disclosure,
privilege escalation, or remote code execution. NOTE: The Talos reports provide
proof of concept exploit code.
Again, as with any third-party vulnerability, these problems
could be seen in systems from other vendors that also use the WibuKey DRM.
EN100 Ethernet Communications Module Advisory
This advisory describes
an improper input validation vulnerability in the Siemens EN100 Ethernet
Communication Module and SIPROTEC 5 Relays. The vulnerability was reported by Lars
Lengersdorf from Amprion GmbH. Siemens has updates for some of the affected
products. There is no indication that Lengersdorf has been provided an
opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker could
remotely exploit the vulnerability to allow an attacker to conduct a
denial-of-service attack over the network.
OSIsoft Advisory
This advisory describes
a cross-site scripting vulnerability in the OSIsoft PI Vision application. The vulnerability
is self-reported. OSIsoft has a new version that mitigates this vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access could exploit this vulnerability to allow an
attacker to read and modify the contents of the PI Vision web page and data
related to the PI Vision application in the victim’s browser.
NOTE: I briefly
discussed this vulnerability on December 18th, 2018.
Meltdown Spectre Update
This update
provides additional information on an advisory that was originally
published on January 11th, 2018 and updated on January
16th, 2018, January
17th, 2018, January
30th, 2018, February
20th, 2018, February
22nd, 2018, March
1st, 2018, July
10th, 2018, and most recently on September
11th, 2018.. The new information includes a link to a new Meltdown/Spectre
advisory from Siemens for their SIMATIC Industrial Thin Clients.
EN100 Ethernet Communications Module Update
This update
provides additional information on an advisory that was originally
published on December 13th, 2018. The new information includes
updated version data and mitigation links for or firmware variant IEC104 for
EN100 Ethernet modules.
SIMATIC S7-1500 Update
This update
provides additional information on an advisory that was originally
published on October 9th, 2018. The new information includes
updated version data and mitigation links for:
• SIMATIC ET 200 SP Open Controller;
and
• SIMATIC S7-1500 Software
Controller
Open SSL Update
This update
provides additional information on an advisory that was originally
published on August 14th, 2018 and updated on September
11th, 2018, October
9th, 2018, and again on November
13th, 2018. The update provides new affected version and mitigation
information for:
• SIMATIC S7-1500 Software
Controller; and
• SIMATIC ET 200SP Open Controller
CPU 1515SP PC
SIPROTEC 4 Update
This update
provides additional information on an advisory that was originally
published on March 8th, 2018 and updated on April
18th, 2018. The update provides new affected version and mitigation
information for IEC 104 variant of EN100 module.
Industrial Products Update #1
This update
provides additional information on an advisory that was originally
published on May 9th, 2017 and updated on
June 15, 2017,on July
25th, 2017, on August
17th, 2017, on October
10th, on November
14th, November
28th, February
27th, 2018, May
3rd, 2018 May
15th, 2018, September
11th, 2018, October
9th, 2018, November
13th, 2018, December
11th, 2018, and most recently on February
5th, 2019. The update provides new affected version and mitigation
information for SIMATIC ET 200SP IM155-6 PN HA.
Industrial Products Update #2
This update
provides additional information on an advisory that was originally published on
January 12th, 2018. The update provides new affected version and
mitigation information for SIMATIC CP 1626.
Siemens Advisory Update
Yesterday’s publications by ICS-CERT is really rather
remarkable since most of the Siemens advisories covered were published
yesterday. NCCIC-ICS has now reported on all of the original advisories from
Siemens from January and all but one of
the updates (the GNU/Linux vulnerabilities that have not been reported by
NCCIC-ICS).
Of the four advisories and 12 updates published yesterday by
Siemens only 8 updates have not been directly covered by NCCIC-ICS in yesterday’s
reporting. Unless those are reported by NCCIC-ICS on Thursday, I will have more
details this weekend.
Posts
No comments:
Post a Comment