Public ICS Disclosures – Week of 03-09-19

This week we have five vendor notifications for products from Siemens, PEPPERL+FUCHS, and Schneider(3) and four vendor updates of previously published advisories for products from Siemens(3) and Medtronics.

Siemens Advisory

Siemens published an advisory describing a mirror port isolation vulnerability in their SCALANCE X switches. The vulnerability is being self-reported. Siemens has provided generic workarounds to mitigate the vulnerability.

PEPPERL+FUCHS Advisory

VDE CERT published an advisory describing two vulnerabilities in the PEPPERL+FUCHS ecom mobile devices. The vulnerabilities were reported by Ben Seri and Gregory Vishnepolsky of Armis; the armis 2017 Blueborne disclosure includes exploits. PEPPERL+FUCHS points to (no links provided) OEM vendors for updates for some of the affected products.

Schneider Advisories

Schneider published an advisory describing an uncontrolled search path element vulnerability in their Pelco VideoXpert OpsCenter. The vulnerability was reported by Osama Radwan. Schneider has a new version that mitigates the vulnerability. There is no indication that Radwan has been provided an opportunity to verify the efficacy of the fix.

Schneider published an advisory describing an SQL injection vulnerability in their U.motion Builder software product. The vulnerability was reported by Julien Ahrens (RCE Security). Schneider recommends that customers stop using the their U.motion Builder software product as it is no longer supported.

Schneider published an advisory describing an improper check for unusual or exceptional conditions vulnerability in their Triconex TriStation Emulator. The vulnerability was reported by Tom Westenberg – Applied Risk. Schneider plans to have an update available in July and has provided generic workarounds to mitigate the vulnerability in the mean time.

Siemens Updates

Siemens published an update for their advisory on Spectre and Meltdown Vulnerabilities in Industrial Products. They added an updated solution for their SINUMERIK PCU. NCCIC-ICS is not expected to publish and update for their Meltdown/Spectre alert (ICS-ALERT-18-011-01) since the link in that Alert to the Siemens Industrial Products already takes one to this latest update.

Siemens published an update for their advisory on Foreshadow / L1 Terminal Fault Vulnerabilities in Industrial Products. They added an updated solution for their SINUMERIK PCU. NCCIC-ICS has not published any advisories or alerts about the Foreshadow vulnerabilities.

Siemens published an update for their advisory on Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP. They added 14 new CVE’s to the already lengthy list of CVE’s covered in the advisory. NCCIC-ICS has not published an advisories or alerts on this family of Linux vulnerabilities.

Medtronic Update

Medtronic published an update for their advisory on MiniMed™ Paradigm™ Insulin Pumps. They added:

• Two new affected devices available in the US; and

• A link to the field safety notification letter issued in August, 2018.

The NCCIC-ICS advisory (ICSMA-18-219-02) was originally published on August 8^th, 2018. I suspect that this will be updated in the coming week.

NOTE: It is interesting that the letter (dated August 7^th, 2018; the date of the original advisory) includes the two affected devices that are being added to the advisory via this update. The original Medtronic advisory made special note that none of the affected devices were available for sale in the United States.