Yesterday the DHS NCCIC-ICS published four control system
security advisories {Siemens (2), Schneider Electric, Rockwell and Emerson},
one medical device security advisory for products from GE, and updated four
previously published advisories for products from Siemens.
SIPROTEC Advisory
This advisory
describes two improper input validation vulnerabilities in the Siemens SIPROTEC
5 and DIGISI 5 products. The vulnerability was reported by Pierre Capillon,
Nicolas Iooss, and Jean-Baptiste Galet from Agence Nationale de la Sécurité des
Systèmes d’Information (ANSSI). Siemens has new versions that mitigate the vulnerabilities.
There is no indication that the researchers have been provided an opportunity
to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to allow a denial-of-service condition
and limited control of file upload, download, and delete functions.
Spectrum Power Advisory
This advisory
describes a cross-site scripting vulnerability in the Siemens Spectrum Power
product. The vulnerability was reported by Ismail Mert AY AK of Biznet Bilisim AS.
Siemens has an update available that mitigates the vulnerability. There is no
indication that Mert has been provided an opportunity to verify the efficacy of
the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit this vulnerability to allow an attacker to inject
arbitrary code in a specially crafted HTTP request and monitor information.
NOTE 1: The Siemens
advisory uses new terminology for reporting NCCIC-ICS coordination efforts,
it cites “CISA-Industrial Control System Vulnerability Disclosure team” as the
coordinating agency. I am wondering if this is an official designation of a
specific group of people operating at NCCIC or just another smoke and mirrors
name change.
NOTE 2: Siemens published
four other advisories yesterday in addition to these two. If they are not
addressed by NCCIC-ICS later this week, I will be looking at them Saturday.
Schneider Advisory
This advisory
describes a use after free vulnerability in the Schneider Zelio Soft
programming platform. The vulnerability was reported by 9sg Security Team via
the Zero Day Initiative. Schneider has a new version that mitigates the
vulnerability. There is no indication that the researchers have been provided
an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit this vulnerability to allow remote code execution
through the opening of a specially crafted project file.
NOTE 1: NCCIC-ICS does not provide a link to the Schneider
Zelio Soft advisory.
NOTE 2: Schneider published
five other advisories yesterday as well as the Zelio Soft advisory. It was a
busy ICS security day.
Rockwell Advisory
This advisory
describes an improper access control vulnerability in the Rockwell PanelView
5510 HMI. This vulnerability is self-reported. Rockwell has new versions that
mitigate the vulnerability.
NCCIC-ICS reports that an uncharacterized attacker could
remotely exploit this vulnerability to allow a remote unauthenticated user to
gain root privileges on the device.
Emerson Advisory
This advisory
describes a hard-coded credential vulnerability in the Emerson DeltaV
Distributed Control System (DCS) software platform. The vulnerability was
reported by Benjamin Crosasso of Sanofi. Emerson has a patch available to
mitigate the vulnerability. There is no indication that Crosasso has been
provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access could exploit the vulnerability to allow an
attacker to gain administrative access to DeltaV Smart Switches.
GE Advisory
This advisory
describes an improper authentication vulnerability in the GE Aestiva and
Aespire Anesthesia Machines. The vulnerability was
reported by Elad Luz of CyberMDX. GE has provided generic workarounds to
mitigate the vulnerability. The FDA has not published a safety
communication on this vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit this vulnerability to allow an attacker the ability to
remotely modify GE Healthcare anesthesia device parameters.
SIMATIC PCS Update
This update
provides additional information on an advisory that was originally
published on May 14th, 2019. The new information includes
updated version data and links to mitigation measures for:
• SIMATIC WinCC V7.4;
• SIMATIC PCS 7 V8.2; and
• SIMATIC PCS 7 V9.0
SIMATIC Update
This update
provides additional information on an advisory that was originally published on
April 9th, 2019 and updated on May
14th, 2019 and June
11th, 2019. The new information includes updated version data and
links to mitigation measures for:
• SIMATIC RF600R;
• SIMATIC RF185C;
• SIMATIC RF186C; and
• SIMATIC RF188C
Industrial Products Update
This update
provides additional information on an advisory that was originally published on
April 9th, 2019 and updated on May
14th, 2019 and June
11th, 2019. The new information includes updated version data and
links to mitigation measures for:
• SIMATIC RF600R;
• SIMATIC RF188C; and
• SINEMA Server
CP 1604 Update
This update
provides additional information on an advisory that was originally
published on February 12th, 2019. The new information includes:
• Update version information and mitigations; and
• Add fixes for older product versions for
CVE-2018-13808
NOTE: Siemens published four additional advisory updates
yesterday. NCCIC-ICS is unlikely to address them so I will on Saturday.
Posts
No comments:
Post a Comment