2 Advisories and 6 Updates Published

Yesterday the DHS NCCIC-ICS published two control system security advisories for products from Siemens. They also published five control system updates for products from Interpeak (2) and Siemens (3) and a medical device update for Philips.

PROFIET Advisory

This advisory describes an uncontrolled resource consumption vulnerability in the Siemens PROFINET Devices. Siemens self-reported the vulnerability. Siemens has new versions for many of the affected versions that mitigate the vulnerability and provides generic workarounds for the rest while formal mitigation measures are developed.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to cause a denial-of-service condition.

IRT Devices Advisory

This advisory describes an improper input validation vulnerability in the Siemens Industrial Real-Time (IRT) Devices. Siemens self-reported the vulnerability. Siemens has new versions for many of the affected versions that mitigate the vulnerability and provides generic workarounds for the rest while formal mitigation measures are developed.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to cause a denial-of-service condition.

Interpeak Update #1

This update provides additional information on an advisory that was originally published on October 1^st, 2019 and last updated on October 3^rd, 2019. The new information includes:

• Updated mitigation information for Enea and Green Hills Software; and

• A new vendor information link for Carestream

Interpeak Update #2

This update provides additional information on an advisory that was originally published on October 1^st, 2019. The new information includes updated mitigation information for Enea and Green Hills Software.

SIMATIC Update #1

This update provides additional information on an advisory that was originally published on July 11^th, 2019 and last updated on September 10^th, 2019. The new information includes:

• Updated remediation for SIMATIC WinCC Runtime Professional V15;

• Updated affected versions and mitigation information for:

◦ SIMATIC WinCC Professional (TIA Portal V14); and

◦ SIMATIC WinCC Professional (TIA Portal V15)

SIMATIC Update #2

This update provides additional information on an advisory that was originally published on July 9^th, 2019 and last updated on September 10^th, 2019. The new information includes:

• Updated remediation for SIMATIC WinCC Runtime Professional V15;

• Updated affected versions and mitigation information for:

◦ SIMATIC WinCC Professional (TIA Portal V14); and

◦ SIMATIC WinCC Professional (TIA Portal V15)

Industrial Products Update

This update provides additional information on an advisory that was originally published on November 8^th, 2016 and last updated on June 14^th, 2018. The new information includes:

• Merged WinAC RTX 2010 SP2 and WinAC RTX F 2010 SP2 to SIMATIC WinAC RTX (F) 2010; and

• Added mitigation information for SIMATIC WinAC RTX (F) 2010

Philips Update

This update provides additional information on an advisory that was originally published on May 3^rd, 2018. The added information includes an additional affected product that is out of support.

Other Siemens Advisories

There is still one advisory and two updates that Siemens published on October 8^th that have not been addressed by NCCIC-ICS. I will report on those tomorrow.