Yesterday the DHS NCCIC-ICS published four control system
security advisories for products from Siemens (2), Fuji Electric, and Johnson
Controls.
SINAMICS Advisory
This advisory
describes an uncontrolled resource consumption vulnerability in the web server
of the Siemens SINAMICS control units. The vulnerability is self-reported.
Siemens has updates available to mitigate the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to allow an attacker to perform a
denial-of-service attack.
SCALANCE Advisory
This advisory
describes two instances of an improper adherence to coding standards vulnerability
in the Siemens SCALANCE products. The vulnerability is self-reported.
Siemens has an update available that mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerabilities to lead to a denial of service or could allow an
authenticated local user with physical access to the device to execute
arbitrary commands on the device.
NOTE: There are still two advisories and an update that were
published
by Siemens earlier this week that have not been addressed by NCCIC-ICS. I will
report further on them tomorrow.
Fuji Advisory
This advisory
describes a stack-based buffer overflow in the Fuji Alpha5 Smart Loader servo drive. The vulnerability was reported by Natnael
Samson (@NattiSamson) via the Zero Day Initiative. Fuji has a new version that
mitigates the vulnerability. There is no indication that Samson has been
provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker with
uncharacterized access could exploit the vulnerability to allow an attacker to
execute code under the privileges of the application.
Johnson Controls Advisory
This advisory
describes two vulnerabilities in the Johnson Controls Metasys building
automation system. The vulnerability was reported by harpocrates.ghost. Johnson
Controls has a new version that mitigates the vulnerabilities. There is no
indication that the researcher has been provided an opportunity to verify the
efficacy of the fix.
The two reported vulnerabilities are:
• Reusing a nonce, key-pair in an encryption - CVE-2019-7593;
and
• Use of hard-coded cryptographic key - CVE-2019-7594
NCCIC-ICS reports that an uncharacterized attacker could
remotely exploit these vulnerabilities to decrypt captured network traffic.
Posts
No comments:
Post a Comment