1 Alert, 4 Advisories and 4 Updates Published – 06-11-19

Yesterday the DHS NCCIC-ICS published a medical device security advisory for the DICOM (Digital Imaging and Communications in Medicine) standard; four control system security advisories for products from Siemens; and four updates of previously published advisories for products from Siemens.

DICOM Standard Alert

This alert describes a public release with proof-of-concept code for an information disclosure vulnerability in the DICOM standard. The vulnerability was reported by Markel Picado Ortiz of Cylera Labs. NCCIC-ICS reports that an uncharacterized attacker with local access could use the POC code to allow an attacker to embed executable code into image files used by medical imaging devices.

SCALANCE X Advisory

This advisory describes a storing passwords in a recoverable format vulnerability in the Siemens SCALANCE X products. The vulnerability was reported by Christopher Wade from Pen Test Partners. Siemens has an update for one of the affected products. There is no indication that Wade has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to reconstruct passwords for users of the affected devices, if the attacker is able to obtain a backup of the device configuration.

LOGO!8 Advisory

This advisory describes two vulnerabilities in the Siemens LOGO!8 devices. The vulnerabilities were reported by Thomas Meesters from cirosec GmbH and Ruhr University of Bochum, and Christian Siemers and Irakli Edjibia from Hochschule Augsburg. Siemens has a new firmware version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper restriction of operations within the bounds of a memory buffer - CVE-2019-6571; and

• Session fixation - CVE-2019-6584

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to read the communication between the affected device and a user, and compromise the availability of the targeted system.

SIMATIC Advisory

This advisory describes two vulnerabilities in the Siemens SIMATIC Ident MV420 and MV440 Families. These vulnerabilities are self-reported. Siemens has provided generic workarounds.

The two reported vulnerabilities are:

• Improper privilege management - CVE-2019-10925; and

• Clear-text transmission of sensitive information - CVE-2019-10926

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow a remote attacker to escalate privileges and view data transmitted between the device and the user.

Siveillance Advisory

This advisory describes three vulnerabilities in the Siemens Siveillance VMS. The vulnerabilities are self-reported. Siemens has updates available that mitigate the vulnerabilities.

The three reported vulnerabilities are:

• Improper authorization - CVE-2019-6580;

• Incorrect user management - CVE-2019-6581; and

• Missing authorization - CVE-2019-6582

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker with network access to Port 80/TCP to change device properties, user roles, and user-defined event properties.

Industrial Products Update

This update provides additional information on an advisory that was originally published on April 9th, 2019 and updated on May 14^th, 2019. The new information includes updated affected version and mitigations for:

• SIMATIC Software Controller; and

• SIMATIC ET 200 SP Open Controller CPU 1515SP PC2

SIMATIC Update

This update provides additional information on an advisory that was originally published on April 9th, 2019 and updated on May 14^th, 2019. The new information includes updated affected version and mitigations for:

• SIMATIC Software Controller; and

• SIMATIC ET 200 SP Open Controller CPU 1515SP PC2

SCALANCE X Update

This update provides additional information on an advisory that was originally published on March 26^th, 2019. The new information includes updated affected version and mitigations for SCALANCE X-200.

SCALANCE X Switches Update

This update provides additional information on an advisory that was originally published on June 18^th, 2018 and updated on January 31^st, 2019. The new information includes updated affected version and mitigations for SCALANCE X200RNA.

NOTE: There were two other Siemens updates issued yesterday that were not covered by NCCIC-ICS, now do I suspect that they will address them. I will report on them Saturday.