Public ICS Disclosure – Week of 03-02-19

This week we have three vendor disclosures for products from PEPPERL+FUCHS, Phoenix Contact and BD. We also have an update for a previously published disclosure for products from Draeger.

PEPPERL+FUCHS Advisory

VDE CERT published an advisory that describes a path traversal vulnerability in the PEPPERL+FUCHS WirelessHART-Gateways. The vulnerability was publicly reported (with exploit) by Hamit CİBO. PEPPERL+FUCHS has a firmware update that mitigates the vulnerability.

Phoenix Contact Advisory

VDE CERT published an advisory for three vulnerabilities in the Phoenix Contact MEVIEW3 product. The third-party software vulnerabilities were reported by WIBU-SYSTEMS AG. These are the same WibuKey Digital Rights Management (DRM) solution that have been reported in products from Siemens. WIBU has an update that mitigates the vulnerabilities.

NOTE: It will be interesting to see how many other ICS vendors are using the WibuKey and will be publishing advisories based upon these vulnerabilities.

BD Advisory

BD published an advisory providing advanced notice that a number of their products based upon the Windows 7® operating system needed to be upgraded to Windows 10® since the earlier Windows product is facing an upcoming end-of-support by Microsoft. This is an early notification and customers will be notified directly by BD if/when the Windows 10 update becomes available; or if BD will enter into an agreement for extended support with Microsoft for a particular product; or if BD will stop supporting their product as being at the end-of-life.

NOTE: Given the long-life expectancy of industrial control systems, the loss of support for operating systems from vendors like Microsoft will be an ongoing problem for ICS equipment vendors. It is interesting to see that BD is taking an proactive approach to this issue.

Draeger Update

Draeger has published an update for an advisory that was originally published on January 21, 2019. The new information includes:

• New information on affected product versions;

• New vulnerability impact information; and

• Report of pending update availability for products running on Windows XP® (presumably including an OS upgrade).

NOTE: This Draeger update with its dealing with an even older version of Windows than the problem identified by BD provides even more emphasis on the OS problem facing ICS manufacturers. Perhaps someone needs to come up with a stable (dare I say stripped down) OS for ICS vendors to use for long-life products. Getting rid of a lot of the bells and whistles in the Microsoft OS’s that are of little or no use in industrial control systems would probably reduce the potential attack surface.

Final Nightmare Note: Are vendors of millions of IoT devices operating under Windows 7 OS going to be updating their existing products for Windows XXX. I do not think so. This will just add to the vulnerabilities of these existing systems.