This week we have two vendor notifications from
PEPPERL+Fuchs and Moxa. We also have a 0-day vulnerability report for products
from Siemens. Plus there is an interesting look at the out-of-service problem
and a follow-up to the ABB advisory I discussed last week.
PEPPERL+Fuchs Advisory
CERT VDE published an advisory
describing a use after free vulnerability in the PEPPERL+Fuchs ecom Mobile
Devices. The vulnerability was reported by Maddie Stone from Google Project
Zero. This is a previously
reported third-party (Linux) vulnerability in the underlying Android
operating system. The vulnerable products are out of support.
NOTE: Other vendors using Android based devices will likely
have similar vulnerabilities.
Moxa Advisory
Moxa published an
advisory describing two GET command vulnerabilities in the Moxa EDS-405A
Series Ethernet Switches. The vulnerabilities are self-reported. Moxa has a
patch available to mitigate the vulnerabilities.
Siemens Vulnerability
There is an interesting
article over on DARKReading.com (thanks to @PatrickCMiller for pointing me
at the article) describing an interesting feature/vulnerability in the Siemens Siemens'
S7-1200 PLCs. The article notes that Siemens has been notified (okay, so not
technically a 0-day), but there has not yet been an advisory or fix from
Siemens. I expect we may see an advisory on Tuesday during the monthly Siemens
advisory drop.
If it ain’t broke don’t fix it Department
There is an interesting announcement
from Omron about the pending ‘out-of-support’ status for Windows 7®. The information
is rather generic and references no specific Omron products. It does, however,
provide a unique view of why it may be difficult for control system owners to
transfer systems to newer versions of the Windows® operating system (or any
updating to any new OS for that matter).
Omron notes that:
When upgrading an old control
system including obsolete PCs and operating systems make sure you consider the
following:
• Which Operating System should
you upgrade to - the next OS or the latest OS?
• Will your PC hardware (CPU, disk
space etc) support your new OS or will you need to purchase new hardware too?
• Will your existing software
applications support your new OS or will you need to purchase a software
upgrade?
Given the fact that industrial control systems are custom
installations, potentially involving large numbers of vendors, it is easy to
see that upgrading to a supported OS could get to be quite expensive in time
and money. It is no wonder that we still have large numbers of systems
operating on Windows XP®.
ABB Follow-up
An interesting tweet and
associated blog
post from Rikard Bodfros on last
week’s ABB vulnerability report.
Posts
No comments:
Post a Comment