Friday, August 16, 2019

4 Advisories Published – 08-15-19


Yesterday the DHS NCCIC-ICS published four control system security advisories for products from Siemens (2), Fuji Electric, and Johnson Controls.

SINAMICS Advisory


This advisory describes an uncontrolled resource consumption vulnerability in the web server of the Siemens SINAMICS control units. The vulnerability is self-reported. Siemens has updates available to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to perform a denial-of-service attack.

SCALANCE Advisory


This advisory describes two instances of an improper adherence to coding standards vulnerability in the Siemens SCALANCE products. The vulnerability is self-reported. Siemens has an update available that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to  lead to a denial of service or could allow an authenticated local user with physical access to the device to execute arbitrary commands on the device.

NOTE: There are still two advisories and an update that were published by Siemens earlier this week that have not been addressed by NCCIC-ICS. I will report further on them tomorrow.

Fuji Advisory


This advisory describes a stack-based buffer overflow in the Fuji Alpha5 Smart Loader servo  drive. The vulnerability was reported by Natnael Samson (@NattiSamson) via the Zero Day Initiative. Fuji has a new version that mitigates the vulnerability. There is no indication that Samson has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow an attacker to execute code under the privileges of the application.

Johnson Controls Advisory


This advisory describes two vulnerabilities in the Johnson Controls Metasys building automation system. The vulnerability was reported by harpocrates.ghost. Johnson Controls has a new version that mitigates the vulnerabilities. There is no indication that the researcher has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

Reusing a nonce, key-pair in an encryption - CVE-2019-7593; and
Use of hard-coded cryptographic key - CVE-2019-7594

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit these vulnerabilities to decrypt captured network traffic.

No comments:

 
/* Use this with templates/template-twocol.html */