Saturday, March 2, 2019

Public ICS Disclosures – Week of 02-23-19

This week we have four vendor disclosures for products from Bosch (3) and Siemens. There is also a vendor update of a previously issued security advisory for products from Rockwell.

Bosch Advisories

Bosch published two advisories (here and here) for two vulnerabilities in their Smart Camera App for Android. These vulnerabilities are apparently self-reported. Bosch has a new version of the App that mitigates the vulnerabilities.

The two reported vulnerabilities are:

• Incorrect default permissions - CVE-2019-7729; and
Improper certificate validation  CVE-2019-7728

Bosch published an advisory describing two vulnerabilities in its Rexroth IndraWorks WinStudio application. These are third-party software vulnerabilities originally reported by AVEVA in their InduSoft Web Studio. Bosch reports that all projects created with the vulnerable versions are affected by these vulnerabilities. Bosch only provides workarounds to mitigate these vulnerabilities in this advisory.

The two reported vulnerabilities are:

• Missing authentication for critical function - CVE-2019-6543; and
• Resource injection - CVE-2019-6545

Siemens Advisory

Siemens has published an advisory describing three vulnerabilities in the WibuKey Digital Rights Management (DRM) solution, which affect WinCC OA. These are the same vulnerabilities that Siemens previously reported in their SICAM 230 product. The original Talos reports on these third-party software vulnerabilities (CVE-2018-3989CVE-2018-3990, and CVE-2018-3991) included exploits. Siemens has provided WibuKey links to new versions of the software to mitigate the vulnerability. There is no indication that Talos has verified the efficacy of the fix.

Rockwell Update

The Rockwell Industrial Security Advisory Index page indicates that they published an update to the advisory on their PowerMonitor 1000 Monitor product. This advisory was originally published in February. The update is apparently only currently available to companies with a current TechConnect contract (which I do not). I expect that we will see an update published by NCCIC-ICS at some future date.

No comments:

/* Use this with templates/template-twocol.html */