1 Advisory and 6 Updates Published – 03-12-19

Today the DHS NCCIC-ICS published on control system security advisory for products from WIBU Systems and six updates for previously published advisories for products from Siemens.

WIBU Advisory 

This advisory describes three vulnerabilities in the WibuKey Digital Rights Management tool. NCCIC-ICS reports that the vulnerabilities were reported to it by Siemens, but the vulnerabilities were originally reported by Talos (here, here and here) with exploits. Wibu has an updated software version that mitigates the vulnerability. There is no indication that Talos has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Information exposure - CVE-2018-3989;

• Out-of-bounds write - CVE-2018-3990; and

• Heap-based buffer overflow - CVE-2018-3991

NCCIC-ICS reports that a relatively low-skilled attacker could use a publicly available exploit to remotely exploit the vulnerabilities to allow information disclosure, privilege escalation, or remote code execution.

NOTE: This advisory originally published on February 12^th, 2019 by NCCIC-ICS and updated on February 14^th, 2019 as a third-party software problem only affecting the Siemens SICAM 230. This advisory was renamed today as a Wibu Systems problem affecting Siemens (2 product lines, the second reported here on March 2^nd, 2019) and three other vendors; COPA-DATA, SPRECHER Automation, and Phoenix Contact (reported here last Saturday). As with other third-party software issues, there may be other vendors added to this revised advisory in the future.

Industrial Products Update

This update provides additional information on an advisory that was originally published on May 9^th, 2017 and updated on June 15, 2017,on July 25^th, 2017, on August 17^th, 2017, on October 10^th, on November 14^th, November 28^th, February 27^th, 2018, May 3^rd, 2018 May 15^th, 2018, September 11^th, 2018, October 9^th, 2018, November 13^th, 2018, December 11^th, 2018, February 5^th, 2019 and most recently on February 12^th, 2019. The update provides additional affected version information and links for mitigation measures for SINUMERIK 840D sl.

Desigo PXC Update

This update provides additional information on an advisory that was originally published on January 25th, 2018, February 6^th, and updated on March 22^nd, 2018. Added links to mitigation measures for products before v 6.00.

SIPROTEC 4 Update

This update provides additional information on an advisory that was originally published on March 8^th, 2018, April 19^th, 2018, and updated on May 17^th, 2018. The update provides additional affected version information and links for mitigation measures for:

• 7SJ61;

• 7SJ62;

• 7SJ64; and

• Contacts for mitigation measures for products without solution.

SIMATIC PCS 7 Update

This update provides additional information on an advisory that was originally published on March 29^th, 2018 and updated on April 24^th, 2018, June 12^th, 2018, and again on November 13^th, 2018. The update corrected the data for fixed version for the WinCC 7.4.

NOTE: This should be “Update E” not “Update G”.

SIMATIC S7 Update

This update provides additional information on an advisory that was originally published on November 13^th, 2018. The update provides additional affected version information and links for mitigation measures for SIMATIC S7-1200.

SINUMERIK Update

This update provides additional information on an advisory that was originally published on December 11^th, 2018. The update provides additional affected version information and links for mitigation measures for SINUMERIK 808D.

Siemens Advisory Day

The six Siemens updates published today by NCCIC-ICS were all published by Siemens today on their monthly release of vulnerabilities and updates. There was also one new advisory published today by Siemens and three other updates.