Monday, December 20, 2021

Review - 12-20-21 Siemens Advisories for Log4Shell

This afternoon Siemens published another new Log4Shell advisory and updated their original advisory.

New Advisory - Siemens published an advisory discussing the Log4Shell vulnerabilities in their TraceAlertServerPLUS, a software component installed in SVC PLUS energy transmission solutions.

Updated Advisory - Siemens published an update of their original Log4Shell advisory that was originally published on December 12th, 2021 and most recently updated on December 19th, 2021.

For more details about the advisory and update, see my article at CFSN Detailed Analysis - https://patrickcoyle.substack.com/p/12-20-21-siemens-advisories-for-log4shell - subscription required.

Commentary

Nobody can claim that Siemens is not actively working on remediating this unusual set of third-party vulnerabilities. But I have to ask the uncomfortable question, is it really helpful? Fixing a vulnerability in a control system is not just taking a computer out of service long enough to install an update. Properly done it requires testing updates on a mirror system to see if there are any unusual and unexpected consequences to applying the update. Then, the live system needs to be taken out of service and the updates applied and then tested again. Only then can the facility production be resumed.

Facilities cannot afford to do this multiple times within eight days; many cannot afford to do it every year.

I am not sure what the answer is, but this particular vulnerability brings us to a perfect place in time to ask the question. Researchers, operators, red-team, blue-team need to take a moment of out their even more hectic than normal schedule to think about and discuss how problems like this really need to be dealt with.

One thing that I am sure of, this is not the last vulnerability that will affect so many so quickly.

No comments:

 
/* Use this with templates/template-twocol.html */