Yesterday the DHS NCCIC-ICS published six industrial control
system advisories for products from Schneider Electric (2), AVEVA, Siemens (3)
and Delta Industrial. They also published a medical device security advisory
for products from Philips.
Interactive Graphical SCADA Advisory
This advisory
describes an out-of-bounds write vulnerability in the Schneider Interactive
Graphical SCADA System (IGSS). The vulnerability was reported by mdm and rgod
of 9SG Security Team via the Zero Day Initiative. Schneider has new versions
that mitigate the vulnerability. There is no indication that the researchers
have been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that an uncharacterized attacker with uncharacterized
access could exploit the vulnerability to allow an attacker to achieve arbitrary code
execution or crash the software.
Floating License Manager Advisory
This advisory
describes four vulnerabilities in the Schneider Floating License Manager. The
vulnerabilities are self-reported. According to the Schneider
advisory, the vulnerabilities are in a third-party component (Flexera
FlexNet Publisher) of their product. Schneider has a patch available that
mitigates the vulnerability.
The four reported vulnerabilities are:
• Improper input validation (3) - CVE-2018-20031, CVE-2018-20032,
and CVE-2018-20034; and
• Memory corruption - CVE-2018-20033
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to allow an attacker to deny the
acquisition of a valid license for legal use of the product.
NOTE: There are still three other advisories published
by Schneider on Tuesday that have not been reported by NCCIC-ICS; all for Modicon
controllers. I will address these on Saturday.;
AVEVA Advisory
This advisory
describes the same four vulnerabilities reported above, this time in the AVEVA Vijeo
Citect and Citect SCADA Floating License Manager. These vulnerabilities have not yet been
reported by AVEVA. A new version is available from Schneider to mitigate
the vulnerabilities.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to allow an attacker to deny the
acquisition of a valid license for legal use of the product.
SIMATIC Advisory
This advisory
describes three vulnerabilities in the Siemens SIMATIC RF6XXR. The vulnerabilities
are in older, third-party SSL and TLS applications still in use by these
products. The vulnerabilities were reported by Wendy Parrington from United
Utilities. Siemens reports that newer versions mitigate the vulnerabilities.
The three reported vulnerabilities are:
• Improper input validation - CVE-2011-3389; and
• Cryptographic issues (2) - CVE-2016-6329 and CVE-2013-0169
NCCIC-ICS reports that an uncharacterized attacker could use
publicly available exploits (two of these are older, well recognized vulnerabilities)
to remotely exploit the vulnerabilities to allow access to sensitive
information.
TIA Portal Advisory
This advisory
describes an improper access control vulnerability in the Siemens TIA
Administrator (TIA Portal). The vulnerability was reported
(with proof of concept code) by Joseph Bingham of Tenable. Siemens has an
update that mitigates the vulnerability. There is no indication that Bingham
has been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access could exploit the vulnerability to allow an
execution of some commands without proper authentication.
SIMATIC WinCC Advisory
This advisory
describes an unrestricted upload of file with dangerous type vulnerability in
the Siemens SIMATIC WinCC and SIMATIC PCS7 devices. The vulnerability was
reported by Xuchen Zhu from ZheJiang Guoli Security Technology. Siemens has
updates available that mitigates the vulnerability. There is no indication that
Xuchen has been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit this vulnerability to cause a denial-of-service
condition on the affected service or device. The Siemens
advisory notes that the attacker has to be authenticated with a valid user
account.
NOTE: There is still one new advisory that Siemens
published on Tuesday that has not been reported by NCCIC-ICS. I will cover
it tomorrow.
Delta Industrial Advisory
This advisory
describes two vulnerabilities in the Delta Electronics CNCSoft ScreenEditor.
The vulnerability was reported by Natnael Samson (@NattiSamson) via ZDI. Delta
has a new version that mitigates the vulnerabilities. There is no indication
that Samson was provided an opportunity to verify the efficacy of the fix.
The two reported vulnerabilities are:
• Heap-based buffer overflow - CVE-2019-10982; and
• Out-of-bounds read - CVE-2019-10992
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to cause buffer overflow conditions
that may allow information disclosure, remote code execution, or crash the
application.
Philips Advisory
This advisory
describes a use of obsolete function vulnerability in the Philips Holter 2010
Plus, a 12-lead EKG analysis software program. The vulnerability is self-reported.
Philips provides generic measures to mitigate the vulnerability.
NCCIC-ICS reports that an uncharacterized attacker with
uncharacterized access could exploit this vulnerability to lead to a product
feature escalation.
Posts
No comments:
Post a Comment