Public ICS Disclosures – Part II

 

This week also included the latest tranche of advisories and updates from Siemens. Most of those were addressed by NCCIC-ICS, but three updates from Siemens were not covered.

GNU/Linux Update

Siemens published an update for their advisory on GNU/Linux vulnerabilities in their SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP. The advisory was originally published in 2018 and most recently updated on August 11^th, 2020. The new information includes adding the following CVE’s:

• CVE-2020-8620,

• CVE-2020-8621,

• CVE-2020-8622,

• CVE-2020-8623,

• CVE-2020-8624, and

• CVE-2020-16166

NOTE 1: Siemens periodically updates the firmware for this device, mitigating vulnerabilities as it does so. The advisory still shows existing vulnerabilities dating back to 2015 in the most current firmware version.

NOTE 2: NCCIC-ICS has not published an advisory for these Siemens vulnerabilities.

SIMATIC Update

Siemens published an update for their SIMATIC, SIMOCODE, SINAMICS, SITOP, and TIM advisory that was originally published on December 10th, 2019 and most recently updated on August 11^th, 2020. The new information includes information about successor products for SIMATIC RF180C and RFID 181EIP.

NOTE: There is an NCCIC-ICS advisory for the vulnerability described in the Siemens update.

PROFINET-IO Update

Siemens published an update for their PROFINET-IO advisory that was originally published on February 11^th, 2020 and most recently updated on August 11^th, 2020. The new information includes information about successor products for SIMATIC RF180C and RFID 181EIP.

NOTE: There is an NCCIC-ICS advisory for the vulnerability described in the Siemens update.

Commentary

The last two updates had corresponding NCCIC-ICS advisories that were not updated. Both Siemens advisories included the same information:

“For SIMATIC RF180C and RF182C: migrate to a successor product within the SIMATIC RF18xC/CI family, V1.3 or later version. For details refer to the notice of discontinuation.”

I am not sure why NCCIC-ICS would not consider this to be a valuable piece of mitigation information for users of these devices. I hope that this was simply an oversight on the part of NCCIC-ICS that will be corrected in the coming week.