Saturday, November 9, 2019

Public ICS Disclosures – Week of 11-02-19

This week we have two vendor notifications from PEPPERL+Fuchs and Moxa. We also have a 0-day vulnerability report for products from Siemens. Plus there is an interesting look at the out-of-service problem and a follow-up to the ABB advisory I discussed last week.

PEPPERL+Fuchs Advisory

CERT VDE published an advisory describing a use after free vulnerability in the PEPPERL+Fuchs ecom Mobile Devices. The vulnerability was reported by Maddie Stone from Google Project Zero. This is a previously reported third-party (Linux) vulnerability in the underlying Android operating system. The vulnerable products are out of support.

NOTE: Other vendors using Android based devices will likely have similar vulnerabilities.

Moxa Advisory

Moxa published an advisory describing two GET command vulnerabilities in the Moxa EDS-405A Series Ethernet Switches. The vulnerabilities are self-reported. Moxa has a patch available to mitigate the vulnerabilities.

Siemens Vulnerability

There is an interesting article over on (thanks to @PatrickCMiller for pointing me at the article) describing an interesting feature/vulnerability in the Siemens Siemens' S7-1200 PLCs. The article notes that Siemens has been notified (okay, so not technically a 0-day), but there has not yet been an advisory or fix from Siemens. I expect we may see an advisory on Tuesday during the monthly Siemens advisory drop.

If it ain’t broke don’t fix it Department

There is an interesting announcement from Omron about the pending ‘out-of-support’ status for Windows 7®. The information is rather generic and references no specific Omron products. It does, however, provide a unique view of why it may be difficult for control system owners to transfer systems to newer versions of the Windows® operating system (or any updating to any new OS for that matter).

Omron notes that:

When upgrading an old control system including obsolete PCs and operating systems make sure you consider the following:
• Which Operating System should you upgrade to - the next OS or the latest OS?
• Will your PC hardware (CPU, disk space etc) support your new OS or will you need to purchase new hardware too?
• Will your existing software applications support your new OS or will you need to purchase a software upgrade?

Given the fact that industrial control systems are custom installations, potentially involving large numbers of vendors, it is easy to see that upgrading to a supported OS could get to be quite expensive in time and money. It is no wonder that we still have large numbers of systems operating on Windows XP®.

ABB Follow-up

An interesting tweet and associated blog post from Rikard Bodfros on last week’s ABB vulnerability report.

No comments:

/* Use this with templates/template-twocol.html */