ICS-CERT Publishes 2 Advisories and Updates 3 Siemens Advisories

Yesterday the DHS ICS-CERT published two control system security advisories for products from Siemens and Schneider. It also updated three control system security advisories for products from Siemens.

BTW: I discussed the Schneider advisory Saturday.

Siemens Advisory

This advisory describes two cross-site scripting vulnerabilities in the Siemens SCALANCE X switches. The vulnerabilities were reported by Marius Rothenbücher and Ali Abbas. Siemens has provided updates that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a highly-skilled attacker could remotely exploit the vulnerability to to store script code on the website and execute cross-site scripting (XSS), affecting the website’s confidentiality, integrity, and availability. The Siemens advisory notes that one of the vulnerabilities requires the attacker to log into the web application, but the other can be exploited via a social engineering attack.

Schneider Advisory

This advisory describes four vulnerabilities in the Schneider U.motion Builder. The vulnerabilities were reported by Wei Gao of Ixia and bigric3@360A-TEAM. Schneider has a firmware patch that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2018-7784;

• OS command injection - CVE-2018-7785;

• Cross-site scripting - CVE-2018-7786; and

• Improper input validation - CVE-2018-7787

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow for remote code execution.

SIMATIC Update

This update provides new information on an advisory that was originally published on February 14^th, 2017 and updated on June 15^th, on July 6^th and again on November 31^st, 2018. The update corrects the version affected data for PCS 7.

SIMATIC PCS7 Update

This update provides new information on an advisory that was originally published on November 2^nd, 2018. The update corrects the affected version data for PCS 7 v8.2 and provides information about the update available to mitigate the vulnerability.

SIMATIC WinCC Update

This update provides new information on an advisory that was originally published on March 29^th, 2018 and updated on April 24^th, 2018. The update corrects the affected version data for PCS 7 v8.2 and provides information about the update available to mitigate the vulnerability. In both this and the previous update, the new service pack for PCS 7 v8.2 is available from ‘local support’.

NOTE: Siemens announced a total of 5 new advisories and 5 updates yesterday. I expect that we will see the remainder Thursday.

Public ICS Disclosures – Week of 06-02-18

This week we have a vendor disclosure (mentioned here in passing last week) from Schneider, a vendor update from BD, and two researcher coordinated disclosures for products from Ocularis and Foscam.

Schneider Advisory

Schneider reported four vulnerabilities in their U.motion Builder product. The vulnerabilities were reported by Wei Gao from Ixia. Schneider has an update to mitigate the vulnerability. There is no indication that Wei was provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Print format vulnerability - CVE-2018-7784;

• Remote command injection - CVE-2018-7785;

• Cross-site scripting - CVE-2018-7786; and

• Improper input validation - CVE-2018-7787

BD Update

BD provided a brief update to their KRACK advisory. They advised users of versions of Pyxis products that are end-of-life, end-of support, or are running unsupported, operating systems to contact their service representatives for assistance.

Ocularis Vulnerability

Talos reported a denial of service vulnerability in the Ocularis Recorder video management system which is touted as a Physical Security Information Management (PSIM) platform. The report includes proof-of-concept exploit code. Talos reported this vulnerability to the vendor on March 5^th, 2018.

Foscam Vulnerabilities

The VDOO Vulnerability Research Team reported on the Full Disclosure mailing list three vulnerabilities in the Foscam IP Camera models and provided a link to their detailed report. The report includes proof-of-concept exploit code.

The three reported vulnerabilities are:

• Arbitrary file deletion vulnerability - CVE-2018-6830;

• Stack-based buffer overflow - CVE-2018-6832; and

• Shell command injection vulnerability - CVE-2018-6831;

ICS-CERT Published Two Advisories

This afternoon the DHS ICS-CERT published to control system advisories for products from Honeywell and SearchBlox.

Honeywell Advisory

This advisory describes two vulnerabilities in the Honeywell Midas gas detector. The vulnerabilities were reported by Maxim Rupp. Honeywell has produced new firmware versions to mitigate the vulnerabilities, but there is no indication that Rupp was provided the opportunity to verify the efficacy of the fix.

The two vulnerabilities are:

• Path traversal - CVE-2015-7907; and

• Clear text transmission of sensitive information - CVE-2015-7908.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to make unauthorized configuration changes to the device.

This advisory was originally released to the US CERT Secure Portal on November 5, 2015. Again, if you were authorized access to the Secure Portal (see the bottom of the ICS-CERT landing page for instructions on how to request access) you could have already applied the new firmware to your detectors.

Note: The link in the ICS-CERT advisory for the Honeywell Security Notice is incorrect. It should be: http://www.honeywellanalytics.com/en/support/product-notifications/midas-security-notification-firmware-update-available

SearchBlox Advisory

This advisory describes an information exposure vulnerability in the SearchBlox web-based proprietary search engine application. The vulnerability was reported by Oana Murarasu of Ixia. SearchBlox has developed a new version that mitigates the vulnerability, but there is no indication that Murarasu has been provided the opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to export of the config file without admin login, overwrite the config file without admin login, and add or delete (nonadmin) users.

Missing Alert?

I was really expecting to see ICS-CERT publish an alert today on the Advantech EKI vulnerabilities that were reported on Tuesday by Rapid7, especially since there is already a Metasploit module available for the vulnerabilities. The reason might be that these are actually ‘old’ vulnerabilities (Heartbleed, Shellshock and a previously reported buffer overflow) that apparently made their way back into the firmware update for the latest ICS-CERT reported advisory (ISCA-15-309-01).

Yet Another Schneider Advisory from ICS-CERT

Today the DHS ICS-CERT published yet another advisory for a vulnerability in a product from Schneider Electric. This one is for a buffer overflow vulnerability in the OPC Factory Server (OFS). The vulnerability was reported by Wei Gao, formerly of IXIA. Schneider has produced an update that mitigates the vulnerability and Wei Gao has verified the efficacy of the patch. Interestingly the Schneider published advisory does not mention Wei Gao.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit this ActiveX based vulnerability to execute a denial of service attack by causing the device to re-boot.

Schneider reports that the patch includes a patched version of the OLE2T macro from Microsoft. This is also noted in the ICS-CERT advisory. I wonder what other programs are using the vulnerable version of OLE2T?

NOTE: The Schneider security site pointed to by this advisory also includes a link to another update of the Modbus Driver Advisory that I most recently updated on Tuesday.

ICS-CERT Publishes Triangle Research PLC Advisory

Today the DHS ICS-CERT published an advisory for an improper input validation vulnerability in the Nano-10 PLC firmware from Triangle Research. The vulnerability was reported by Wei Gao of IXIA in a coordinated disclosure.

ICS-CERT reports that the vulnerability could be remotely exploited by a moderately skilled attacker to create a denial of service condition in the PLC. TRI has produced a firmware upgrade that fixes the problem (and its efficacy has been verified by Wei), but it cannot be upgraded in the field. It needs to be returned to the manufacturer for the upgrade . (Now what does that do to system availability?) Oh, well ICS-CERT recommends protecting the control system with a firewall “used to deny Port 502/TCP traffic from traversing business/corporate networks to the control systems networks”.

Now this is not a DNP3 system so this is not exactly the same type of improper input validation vulnerability reported by Crain-Sistrunk, but this does sound very similar except that it is in a Modbus system. I’m wondering if this is what Adam and Chris are going to be going hunting for with their new Modbus tool that will be released next year after their DNP3 fuzzer is released.