Public ICS Disclosures – Week of 06-23-18

This week we have a vendor advisory and two updates of previously issued advisories from Siemens. Additionally, OSIsoft released a new version of their PI SDK 2018 that, according to the release notes, addresses (among other issues) “potential security issues in PI SDK code as identified by Synopsis Static Analysis (Coverity)”.

Siemens Advisory

This advisory describes “service of the affected products listening on all of the host’s network interfaces on either port 4884/TCP, 5885/TCP, or port 5886/TCP could allow an attacker to either exfiltrate limited data from the system or to execute code with Microsoft Windows user permissions”. The vulnerability was reported by Chris Bellows and HD Moore from Atredis Partners and Austin Scott from San Diego Gas and Electric. Siemens has provided new versions for some of the affected products to mitigate the vulnerability and identified work arounds for others. There is no indication that any of the researchers have been provided an opportunity to verify the efficacy of the fix.

RAPIDLab Update

This update provides new information on two vulnerabilities that was previously reported by Siemens on June 12^th, 2018. The new information is an acknowledgement that the vulnerabilities were reported by Oran Avraham from MEDIGATE. This advisory has not been reported by ICS-CERT.

Spectre and Meltdown Update

This update provides new information on the Spectre and Meltdown vulnerabilities in Industrial Products that was last updated on May 29^th,  2018. The new information provides new version and mitigation information for HMI Panels with SIMATIC WinCC V14.

Commentary

You have to give OSIsoft credit for turning to an outside agency (Coverity) to have static code analysis done on their product. This independent evaluation is an example of going the extra mile in secure code development. What is not clear, however, from the release notes on this product is whether or not the code issues being corrected existed in the earlier versions of the development kit.

If the corrected vulnerabilities were in earlier versions, I would have preferred to see an enumeration of those vulnerabilities in a security advisory so that users could conduct a proper risk assessment to see if their situation necessitated an immediate upgrade to this newer version. OSIsoft has a strong history of identifying and correcting security issues, so I suspect that they felt that either the vulnerabilities were related just to new code or that they vulnerabilities in the previous code were so minor as to not require specific notification.

ICS-CERT Publishes 4 Advisories

Today the DHS ICS-CERT published three control system security advisories for products from Siemens. They also published a medical device security advisory for products from Silex Technology and GE Healthcare. The Siemens advisories are the ones that I mentioned last week.

Siveillance App Advisory

This advisory describes an improper certificate validation vulnerability in the Siemens Siveillance VMS Video Mobile Apps (both Android and iOS versions). The vulnerabilities were reported by Karsten Sohr from TZI Bremen. Siemens has new versions that mitigate the vulnerability. There is no indication that the Sohr has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that an uncharacterized attacker in a privileged network position could remotely exploit the vulnerability to read data from and write data to the encrypted communication channel between the app and a server.

Siveillance Advisory

This advisory describes a deserialization of untrusted data vulnerability in the Siemens Siveillance VMS IP video management software. This vulnerability is being self-reported. Siemens has produced updates that mitigate the vulnerability. The Siemens advisory also recommends restricting network access to port 7474/TCP and port 9993/TCP.

ICS-CERT reports that an uncharacterized attacker could remotely exploit the vulnerability to allow elevation of privileges and/or cause a denial-of-service.

SINAMICS Advisory

This advisory describes two separate improper input validation vulnerabilities in the Siemens medium voltage SINAMICS Products. This vulnerability is being self-reported. Siemens has updates available to mitigate the vulnerability.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit this vulnerability to effect a denial-of-service condition, resulting in a manual restart of the affected devices.

Silex Advisory

This advisory describes two vulnerabilities in the Silex SX-500 and SD 320AN as well as products integrated into GE Mobile Link. The vulnerabilities were reported by Eric Evenchick of Atredis Partners; they have published proof of concept code for the vulnerabilities here and here. A new firmware version is scheduled for release later this month that mitigates the vulnerability. ICS-CERT reports that Evenchick has verified the efficacy of the fix.

The two reported vulnerabilities are:

• Improper authentication - CVE-2018-6020; and

• OS command injection - CVE-2018-6021

ICS-CERT reports that a relatively low skilled attacker using the publicly available exploits could remotely exploit the vulnerability to allow modification of system settings and remote code execution.

NOTE: This vulnerability was not reported on the FDA Medical Device Safety Communications web site.