The DHS NCCIC-ICS published six control system security
advisories for products from OSIsoft, Siemens (4), and Delta Electronics. They
also updated two previously published advisories for products from Siemens and
an alert from Mitsubishi Electric Europe.
OSIsoft Advisory
This advisory
describes an integer overflow or wraparound vulnerability in the OSIsoft PI SQL
Client. The vulnerability is self-reported. OSIsoft has a new version that
mitigates the vulnerability.
NCCIC-ICS reports that an uncharacterized attacker could
remotely exploit the vulnerability to allow remote code execution or cause a
denial of service, resulting in disclosure, deletion, or modification of
information.
SIMATIC Advisory
This advisory
describes an improper input validation vulnerability in the Siemens SIMATIC TDC
CP51M1 multiprocessor automation system. The vulnerability is self-reported.
Siemens has a new version that mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to create a denial-of-service
condition within UDP communication.
WirelessHart Gateway Advisory
This advisory
describes a cross-site scripting vulnerability in the Siemens IE/WSN-PA Link
WirelessHART Gateway. The vulnerability is self-reported. Siemens has provided generic
mitigation measures for the vulnerability.
NCCIC-ICS reports that an uncharacterized attacker could
remotely exploit the vulnerability to allow information disclosure, code
execution, or denial-of-service.
Comment: Usually a vendor provides generic mitigation
measures for a vulnerability when they are forced to disclose a vulnerability
due to the disclosure process. With this being a self-disclosed vulnerability,
Siemens was not forced to disclose this vulnerability with a generic
mitigation. That takes a certain amount of integrity, but it does place some of
their customers at an unusual level of risk. The generic mitigation measure is
not unusual or even an unexpected requirement, but some customers will not have
taken the standard precaution and are unlikely to implement it now.
Industrial Product Advisory
This advisory
describes three vulnerabilities in the Siemens Industrial Products. The
vulnerabilities were self-reported. Siemens has new versions that mitigate the
vulnerabilities is some of the affected products.
The three reported vulnerabilities are:
• Integer overflow or wraparound - CVE-2019-11477;
• Uncontrolled resource consumption (2) - CVE-2019-11478,
and CVE-2019-11479
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerabilities to cause denial-of-service
condition.
SINETPLAN Advisory
This advisory
describes an improper authorization vulnerability in the Siemens Network
Planner (SINETPLAN). The vulnerability is self-reported. Siemens has a new version
that mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access could exploit the vulnerability to allow
information disclosure, code execution, and denial-of-service. The Siemens Advisory
notes that the vulnerability can only be exploited “local users”.
Delta Electronics Advisory
This advisory
describes three vulnerabilities in the Delta Electronics TPEditor. The vulnerabilities
were reported by kimiya of 9sg Security Team vis the Zero Day Initiative. Delta
has a new version that mitigates the vulnerabilities. There is no indication that
the researchers have been provided an opportunity to verify the efficacy of the
fix.
The three reported vulnerabilities are:
• Stack-based buffer overflow - CVE-2019-13540;
• Heap-based buffer overflow - CVE-2019-13536; and
• Out-of-bounds write - CVE-2019-13544
NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access could exploit the vulnerabilities to allow
information disclosure, remote code execution, or may crash the application.
PCS7 Update
This update
provides new information on an advisory that was originally
reported on July 9th, 2019 and last updated on August
13th, 2019. The new information includes updated version
information and mitigation links for SIMATIC WinCC Runtime Professional V14 and
V15.
WinCC Update
This update
provides new information on an advisory that was originally
reported on July 11th, 2019 and updated on August
13th, 2019.
Mitsubishi Update
This update
provides new information on an alert that was originally
published on August 13, 2019. The revised alert changes the name of the
vendor to “Mitsubishi Electric Europe B.V.”.
Other Siemens Advisories
Today was disclosure Tuesday for Siemens. They published
six advisories and three updates. Two of those advisories are for third-party
vulnerabilities (DejaBlue and Urgent/11). The Urgent/11 advisory could be added
to the NCCIC-ICS advisory on those vulnerabilities via an update on Thursday.
To date, NCCIC-ICS has not addressed DejaBlue, so I suspect that this Siemens
advisory will be ignored. The last advisory will probably be addressed by
NCCIC-ICS on Thursday.
Posts
No comments:
Post a Comment