Wednesday, February 13, 2019

6 Advisories and 7 Updates Published – 02-12-19


Yesterday the DHS NCCIC-ICS published six control system security advisories for products from Siemens (5) and OSIsoft. They also updated seven previously published advisories for products from Siemens.

CP1604 Advisory


This advisory describes three vulnerabilities in the Siemens CP1604 and CP1616 products. These vulnerabilities were self-reported. Siemens has a new version that mitigates the vulnerabilities.

The three reported vulnerabilities are:

• Clear-text transmission of sensitive information - CVE-2018-13808;
• Cross-site scripting - CVE-2018-13809; and
Cross-site request forgery - CVE-2018-13810

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow a denial-of-service condition and information exposure. An attacker could inject arbitrary JavaScript in a specially crafted URL request to execute on unsuspecting user’s systems, allowing an attacker to trigger actions via the web interface that a legitimate user is allowed to perform.

NOTE: I briefly discussed this advisory on January 12th.

Intel Active Management Advisory


This advisory describes three vulnerabilities in the Intel Active Management Technology (AMT) of Siemens SIMATIC IPCs. The vulnerabilities are self-reported. These vulnerabilities exist in third-party (Intel) firmware on the affected PCs. Siemens has firmware updates that mitigate the vulnerabilities.

The three reported vulnerabilities are:

• Cryptographic issues - CVE-2018-3616;
• Improper restrictions of operations within the bounds of a memory buffer - CVE-2018-3657; and
• Resource management errors - CVE-2018-3658

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow arbitrary code execution, a partial denial-of-service condition, or information disclosure. The Siemens advisory reports that:

“The security vulnerability could be exploited by an attacker with network access to the affected systems. Successful exploitation requires no system privileges and no user interaction.”

NOTE: These vulnerabilities could be found on a large number of industrial PC’s not related to the Siemens products in this advisory.

SIMATIC Advisory


This advisory describes an improper input validation vulnerability in the Siemens SIMATIC S7-300 CPU. The vulnerability was reported by the China Industrial Control Systems Cyber Emergency Response Team (CIC). Siemens has a firmware update that mitigates the vulnerability. There is no indication that CIC has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to all the attacker to  crash the device being accessed, resulting in a denial-of-service condition.

NOTE: I briefly discussed this advisory on January 12th.

Licensing Software Advisory


This advisory describes three vulnerabilities in the Siemens WibuKey Digital Rights Management (DRM) used with SICAM 230. These vulnerabilities are self-reported. Siemens has provided links to a third-party update to mitigate the vulnerabilities. These vulnerabilities were originally reported in the WibuKey product in December by Talos; see the links on the CVE numbers for the Talos reports.

The three reported vulnerabilities are:

• Input validation (3) - CVE-2018-3989, CVE-2018-3990, and CVE-2018-3991.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow information disclosure, privilege escalation, or remote code execution. NOTE: The Talos reports provide proof of concept exploit code.

Again, as with any third-party vulnerability, these problems could be seen in systems from other vendors that also use the WibuKey DRM.

EN100 Ethernet Communications Module Advisory


This advisory describes an improper input validation vulnerability in the Siemens EN100 Ethernet Communication Module and SIPROTEC 5 Relays. The vulnerability was reported by Lars Lengersdorf from Amprion GmbH. Siemens has updates for some of the affected products. There is no indication that Lengersdorf has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to conduct a denial-of-service attack over the network.

OSIsoft Advisory


This advisory describes a cross-site scripting vulnerability in the OSIsoft PI Vision application. The vulnerability is self-reported. OSIsoft has a new version that mitigates this vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to allow an attacker to read and modify the contents of the PI Vision web page and data related to the PI Vision application in the victim’s browser.

NOTE: I briefly discussed this vulnerability on December 18th, 2018.

Meltdown Spectre Update


This update provides additional information on an advisory that was originally published on January 11th, 2018 and updated on January 16th, 2018, January 17th, 2018, January 30th, 2018, February 20th, 2018, February 22nd, 2018, March 1st, 2018, July 10th, 2018, and most recently on September 11th, 2018.. The new information includes a link to a new Meltdown/Spectre advisory from Siemens for their SIMATIC Industrial Thin Clients.

EN100 Ethernet Communications Module Update


This update provides additional information on an advisory that was originally published on December 13th, 2018. The new information includes updated version data and mitigation links for or firmware variant IEC104 for EN100 Ethernet modules.

SIMATIC S7-1500 Update


This update provides additional information on an advisory that was originally published on October 9th, 2018. The new information includes updated version data and mitigation links for:

• SIMATIC ET 200 SP Open Controller; and
• SIMATIC S7-1500 Software Controller

Open SSL Update


This update provides additional information on an advisory that was originally published on August 14th, 2018 and updated on September 11th, 2018, October 9th, 2018, and again on November 13th, 2018. The update provides new affected version and mitigation information for:

• SIMATIC S7-1500 Software Controller; and
• SIMATIC ET 200SP Open Controller CPU 1515SP PC

SIPROTEC 4 Update


This update provides additional information on an advisory that was originally published on March 8th, 2018 and updated on April 18th, 2018. The update provides new affected version and mitigation information for IEC 104 variant of EN100 module.

Industrial Products Update #1

This update provides additional information on an advisory that was originally published on May 9th, 2017 and updated on June 15, 2017,on July 25th, 2017, on August 17th, 2017, on October 10th, on November 14th, November 28th, February 27th, 2018, May 3rd, 2018 May 15th, 2018, September 11th, 2018, October 9th, 2018, November 13th, 2018, December 11th, 2018, and most recently on February 5th, 2019. The update provides new affected version and mitigation information for SIMATIC ET 200SP IM155-6 PN HA.

Industrial Products Update #2


This update provides additional information on an advisory that was originally published on January 12th, 2018. The update provides new affected version and mitigation information for SIMATIC CP 1626.

Siemens Advisory Update


Yesterday’s publications by ICS-CERT is really rather remarkable since most of the Siemens advisories covered were published yesterday. NCCIC-ICS has now reported on all of the original advisories from Siemens from January and all but one of the updates (the GNU/Linux vulnerabilities that have not been reported by NCCIC-ICS).

Of the four advisories and 12 updates published yesterday by Siemens only 8 updates have not been directly covered by NCCIC-ICS in yesterday’s reporting. Unless those are reported by NCCIC-ICS on Thursday, I will have more details this weekend.

No comments:

 
/* Use this with templates/template-twocol.html */