Yesterday the CISA NCCIC-ICS published five control system
security advisories for products from ABB, Omron and Siemens (3); and one
medical device security advisory for products from Philips. They also updated
two previously published advisories for products from Siemens.
ABB Advisory
This advisory
describes an authentication bypass using an alternate path or channel
vulnerability in the ABB Power Generation Information Manager (PGIM) and Plant
Connect monitoring platforms. This vulnerability was reported by Rikard
Bodforss. ABB reports that PGIM will transition to a limited support phase in
January 2020, and Plant Connect is already obsolete.
NCCIC reports that a relatively low-skilled attacker could
remotely exploit the vulnerability to allow a remote attacker to bypass
authentication and extract credentials from the device.
NOTE: I briefly reported
on this vulnerability earlier this month.
Omron Advisory
This advisory
describes a use of obsolete function vulnerability in the Omron CX-Supervisor.
The vulnerability was reported by Michael DePlante of the Zero Day Initiative.
Omron has a new version that mitigates the vulnerability. There is no
indication that DePlante has been provided an opportunity to verify the
efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit this vulnerability to result in information disclosure,
total compromise of the system, and system unavailability.
Desigo PX Advisory
This advisory
describes an external control of assumed immutable web parameter vulnerability in
the Siemens Desigo PX automation controllers. The vulnerability was reported
by Gjoko “LiquidWorm” Krstic from Zero Science Lab. Siemens has updates
that mitigate the vulnerability. There is no indication that Kristic has been
provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit this vulnerability to allow an attacker to cause a
denial-of-service condition on the device’s web server, requiring a reboot to
recover the web interface.
S7-1200 Advisory
This advisory
describes an exposed dangerous method or function vulnerability in the Siemens S7-1200
CPU. The vulnerability was reported
by Ali Abbasi from Ruhr University of Bochum. Siemens has provided generic
workarounds for this vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access could exploit this vulnerability to expose additional diagnostic functionality to
an attacker with physical access to the UART interface during boot process. The
Siemens
advisory notes that the attacker must have physical access to the UART
interface during boot process to exploit the vulnerability (feature).
NOTE: I briefly
discussed this vulnerability last weekend.
Mentor Nucleus Advisory
This advisory
describes an improper input validation vulnerability in the Siemens Mentor
Nucleus Networking Module. The vulnerability was reported by Armis. Siemens has
updates that mitigate the vulnerability. There is no indication that Armis was
provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access could exploit the vulnerability to allow an
attacker to affect the integrity and availability of the device. According to
the Siemens
advisory adjacent network access (but no authentication and no user
interaction) is required to exploit the vulnerability
Philips Advisory
This advisory
describes an inadequate encryption strength vulnerability in the Philips IntelliBridge
EC40 and EC80 data transfer devices. The vulnerability was reported by The
Medical Technology Solutions team of NewYork-Presbyterian Hospital. Philips has
provided generic workarounds while developing formal mitigation.
NCCIC-ICS reports that a relatively low-skilled attacker with
uncharacterized access could exploit this vulnerability to allow an attacker
unauthorized access to the IntelliBridge EC40/80 hub and may allow access to
execute software, modify system configuration, or view/update files, including
unidentifiable patient data.
PROFINET Update
This update
provides additional information on an advisory that was originally
published on October 10th, 2019. The new information includes
new affected version information and mitigation measures for:
• SINAMICS S120 V4.7;
• SINAMICS S150;
• SINAMICS G130 V4.7;
• SINAMICS G150; and
• SINAMICS SL150 V4.7
Industrial Products Update
This update
provides additional information on an advisory that was was originally
published on September 10th, 2019 and most
recently updated on October 8th, 2019. The new information
includes:
• Updated version information and
mitigation link for SIMATIC MV500; and
• Removed SIMATIC RF166C from
affected products.
Other Siemens Updates
On Tuesday Siemens also published
two other advisory updates that have not yet been addressed by NCCIC-ICS, nor
do I expect them to be addressed as the underlying vulnerabilities have not
been reported by NCCIC-ICS. I will report on them tomorrow.
Posts
No comments:
Post a Comment