Two Advisories and Three Updates Published – 02-14-19

Today the DHS NCCIC-ICS published two control system security advisories for products from gpsd Open Source Project and Pangea. They also updated three previously published advisories for products from Fuji and Siemens (2). The gpsd advisory was originally published on the HSIN ICS-CERT library on November 6, 2018.

gpsd Advisory

This advisory describes a stack-based buffer overflow vulnerability in the gpsd, an open-source GPS framework. The vulnerability was reported by GE Digital Cyber Security Services, working with GE-PSIRT. A new version is available that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit this vulnerability to allow remote code execution, data exfiltration, or denial-of service via device crash.

Note: This advisory is a ‘third-party vendor’ vulnerability report. NCCIC-ICS reports that gpsd can be found in many mobile embedded systems such as Android phones, drones, robot submarines, driverless cars, manned aircraft, marine navigation systems, and military vehicles.

Pangea Advisory

This advisory describes an authentication bypass using an alternate path or channel vulnerability in the Pangea Internet FAX Analog Telephone Adapter (ATA). The vulnerability was reported by Ankit Anubhav of NewSky Security. Pangea has a patch deployed that mitigates the vulnerability. There is no indication that Anubhav has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could use a publicly available exploit to remotely exploit the vulnerability to cause the device to reboot and create a continual denial-of-service condition.

Fuji Update

This update provides additional information on an advisory that was originally published on September 27^th, 2018. The update announces the availability of a new firmware version that mitigates the vulnerabilities.

Licensing Software Update

This update provides additional information on an advisory that was originally published on February 12^th, 2019. The update makes a number of editorial corrections in the data presentation on the vulnerabilities reported. I missed identifying these inconsistencies as I reported on the vulnerabilities based upon the Talos reports. The update still does not mention that there are publicly available exploits for these vulnerabilities from those reports.

PROFINET Update

This update provides additional information on an advisory that was originally published on May 9^th, 2017 and updated on June 15, 2017,on July 25^th, 2017, on August 17^th, 2017, on October 10^th, 2017, November 14^th, 2017, January 23^rd, 2018, February 27^th, 2018, and most recently on June 21^st, 2018. The update provides updated affected version information and mitigation links for SINAUT ST7CC.