ICS-CERT Publishes 2 Advisory – Updates Spectre Alert

Today the DHS ICS-CERT published two control system security advisories for products from Schweitzer Engineering and Universal Robots. They also updated their alert for Meltdown/Spectre vulnerabilities.

Schweitzer Advisory

This advisory describes three vulnerabilities in the Schweitzer Compass and AcSELerator Architect products. The vulnerabilities were reported by Gjoko Krstic of Applied Risk. The latest versions of the software mitigate the vulnerability. There is no indication that Krstic has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Incorrect default permissions - CVE-2018-10604;

• Improper restriction of XML external entity reference - CVE-2018-10600; and

• Uncontrolled resource consumption - CVE-2018-10608

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit this vulnerability with publicly available exploit code to allow modification/replacement of files within the Compass installation directory, disclosure of information, or denial of service.

Universal Robots Advisory

This advisory describes two vulnerabilities in the Universal Robots Robot Controllers. The vulnerabilities were reported by Davide Quarta, Mario Polino, Marcello Pogliani, and Stefano Zanero from Politecnico di Milano as well as Federico Maggi with Trend Micro Inc. Universal Robots has described generic workarounds to mitigate the vulnerabilities. There is no indication that any of the researchers have been provided with an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Use of hard-coded credentials - CVE-2018-10633; and

• Missing authentication for critical function - CVE-2018-10635

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to run arbitrary code on the device.

Meltdown/Spectre Update

This update provides additional information on an alert that was originally published on January 11^th, 2018 and updated on January 16^th, 2018, January 17^th, 2018, January 30^th, 2018, February 20^th, 2018, February 22^nd, 2018, March 1^st, 2018 and again on April 26^th, 2018 (typo in ICS-CERT update says 4-27-18). The update provides a link to the new PEPPERL+FUCHS (ecom mobile devices) advisory that I discussed on Saturday.

ICS-CERT Published 3 Advisories and Update the Meltdown Alert

Today the DHS ICS-CERT published three new control system security advisories for products from Delta Industrial Automation, Moxa and Siemens. They also updated the previously published alert for the Meltdown and Spectre chip vulnerabilities.

Delta Advisory

This advisory describes a stack-based buffer overflow vulnerability in the Delta DOPSoft human machine interface. The vulnerability was reported by Ghirmay Desta via the Zero Day Initiative. Delta has a new version that mitigates the vulnerability. There is no indication that Desta has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to cause the device the attacker is accessing to crash; a buffer overflow condition may allow remote code execution.

Moxa Advisory

This advisory describes three vulnerabilities in the Moxa OnCell high-speed industrial-grade IP gateway. The vulnerabilities were reported by Kirill Nesterov, Eugenie Potseluevskaya, and Radu Motspan of Kaspersky Labs. Moxa has released a new firmware version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Reliance on cookies without validation and integrity checking - CVE-2018-5455;

• Improper handling of length parameter inconsistency - CVE-2018-5453; and

• Null pointer dereference - CVE-2018-5449

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability  to remotely execute code on the device.

Siemens Advisory

This advisory describes multiple vulnerabilities in the Siemens SIMATIC, SIMOTION, and SINUMERIK industrial computers. These vulnerabilities were self-reported by Siemens. The Siemens security advisory reports that these are 3^rd party vulnerabilities in the Intel Management Engine (ME), Intel Server Platform Services (SPS), and Intel Trusted Execution Engine (TXE)

The eight reported vulnerabilities are:

• Stack-based buffer overflow (5) - CVE-2017-5705, CVE-2017-5706, CVE-2017-5707, CVE-2017-5712, and CVE-2017-5711; and

• Permissions, privileges, and access controls (3) - CVE-2017-5708, CVE-2017-5709, and CVE-2017-5710

ICS-CERT reports that a relatively low-skilled attacker could remotely (some of the vulnerabilities require local access) to execute arbitrary code or gain unauthenticated access to sensitive data.

NOTE: Again, with 3^rd party vulnerabilities one has to wonder what other systems will be affected. But, since Intel is such a small company (right) it is unlikely that any other vendors will use this vulnerable code (pardon the sarcasm).

Meltdown Update

This update provides additional information on an alert that was originally published on January 11^th, 2018 and updated on January 16^th, 2018, January 17^th, 2018, January 30^th, 2018, February 20^th, 2018, and again on February 22^nd, 2018.

The advisory provides links to new vendor reports on the vulnerabilities:

• Dräger;

• Pepperl+Fuchs; and

• Yokogawa Electric Corporation

ICS-CERT Updates Meltdown Alert Again

Today the DHS ICS-CERT published the second update of their Meltdown Alert for this week. The update provides new information on the alert that was originally published on January 11^th, 2018 and updated on January 16^th, 2018, January 17^th, 2018, January 30^th, 2018, and on February 20^th, 2018.

The update provides links to three new vendor documents. They are:

• Beckman Coulter;

• Siemens (actually this link is good, but the one in the update does not work);

• Stryker (this is a direct link, the one in the update is a link to a link)

Both the Beckman and Stryker links take you to documents that were dated in January, so they are very preliminary notifications with little information. The Siemens document is dated today, and it provides some level of actionable detail for a number of industrial products.

NOTE: Siemens also released two other new security notifications this morning as well as updating six previously issued notifications. We may see these tomorrow on ICS-CERT, but more likely it will be next week.

ICS-CERT Publishes ABB Advisory and Updates Meltdown Alert

Today the DHS ICS-CERT published a new control system security advisory for products from ABB. They also provided an update of their previously issued alert for the Meltdown and Spectre vulnerabilities.

ABB Advisory

This update describes an information exposure vulnerability in the ABB netCADOPS Web Application. The vulnerability was reported by İsmail Erkek. ABB has provided product updates to mitigate the vulnerability. There is no indication that Erkek was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow critical information about the database to be exposed. The ABB security advisory clarifies that the attacker would have to have access to the control network hosting the DMS to exploit the vulnerability.

Meltdown Alert Update

This update provides additional information on an alert that was originally published on January 11^th, 2018 and updated on January 16^th, 2018, January 17^th, 2018 and on January 30^th, 2018. The update adds a link to a new vendor notification from Honeywell. Previously identified vendor pages for ABB and Schneider have been updated since the last ICS-CERT update. NOTE: The updated ABB page is the one I mentioned on Saturday.

ICS-CERT Publishes Meltdown Update #2

Today the DHS ICS-CERT published their second update for their control system security alert for the Meltdown and Spectre CPU vulnerabilities. The alert was originally published on January 11^th, 2018 and updated on 1-16-18. The update provides links to three new vendor notification documtents:

• Emerson (account required for login);

• General Electric (account required for login, reference ID 000020832); and

• Schneider Electric: 

The Schneider security notification has probably the most reasonable guidance that I have seen to date:

“Schneider Electric is actively monitoring vendor research into these vulnerabilities to determine appropriate actions to be taken. At the time of this publication, information is being updated rapidly and the impact of proposed mitigations and patches remains unclear. Many of the initial mitigations proposed by hardware and operating system vendors indicate a high level of potential performance impact, Schneider Electric recommends caution if mitigations or patches are applied to critical and/or performance constrained systems. If you elect to apply recommended patches or mitigations in advance of further guidance from Schneider Electric, we strongly recommend evaluating the impact of those measures on a Test & Development environment or an offline infrastructure.”

ICS-CERT Updates Meltdown Alert

Today the DHS ICS-CERT updated their Meltdown/Spectre alert that was originally published on January 11^th. The new information includes links to the following additional vendor reports on the CPU vulnerabilities:

Abbott;

Johnson and Johnson;

OSIsoft;

Philips; and

Smiths Medical

Additionally (and not specifically noted in this update), Becton, Dickinson, and Company have published a new security bulletin since the original ICS-CERT alert mentioned their initial report.

Commentary

Unfortunately, while providing links to the appropriate documents, ICS-CERT has not addressed the issue seen by a number of vendors, the Microsoft update may not be compatible with all control systems. That, plus the fact that Microsoft has decided to not allow the update to take effect on systems without an updated antivirus registry key, means that system owners need to pay real close attention to the final word from their vendors. Unfortunately, the information linked to in this update is mainly preliminary; most of the listed vendors are still looking at the compatibility issues.

Of course, it could be worse. We are still waiting for the initial ICS-CERT alert on the KRACK vulnerability.

ICS-CERT Publishes Alert, 3 Advisories and 1 Update

Yesterday ICS-CERT published an alert for the Intel Meltdown and Spectre vulnerabilities. They published three control system security advisories for products from Phoenix Contact, Moxa, and WECON. They also updated a previously published advisory for products from Advantech.

Meltdown Alert

This alert describes the CPU hardware vulnerable to side-channel attacks vulnerabilities known as  Meltdown and Spectre. The alert provides links to the following vendor notifications about these vulnerabilities:

• ABB;

• Becton, Dickinson and Company (BD); 

• Rockwell Automation (account required for login); and

• Siemens

The alert also provides a generic link to the ICS-CERT recommended practices page. It is disappointing that, in light of the problems seen with the Windows Update for Meltdown seen on some systems (here and here for example), ICS-CERT has not specifically mentioned the need for checking any updates on a test platform before uploading to a live control system.

Phoenix Contact Advisory

This advisory describes two vulnerabilities in the Phoenix Contact FL Switch product line. The vulnerabilities were reported by Ilya Karpov and Evgeniy Druzhinin of Positive Technologies. Newer versions of the firmware mitigate these vulnerabilities. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper authorization - CVE-2017-16743; and

• Information exposure - CVE-2017-16741

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to gain administrative privileges and expose information to unauthenticated users.

Moxa Advisory

This advisory describes an unquoted search path vulnerability in the Moxa MXview network management software. The vulnerability was reported by Karn Ganeshen. Moxa has produced a firmware update that mitigates the vulnerability. There is no indication that Ganeshen was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker with locally authorized access could exploit the vulnerability to escalate privileges by inserting arbitrary code into the unquoted service path.

WECON Advisory

This advisory describes two vulnerabilities in the WECON LeviStudio HMI Editor. The vulnerabilities were reported by Sergey Zelenyuk of RVRT, HanM0u of CloverSec Labs, and Brian Gorenc via the Zero Day Initiative. The latest version of the software mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2017-16739; and

• Heap-based buffer overflow - CVE-2017-16737

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to effect arbitrary code execution.

Advantech Update

This update updates information on an advisory that was originally published on January 4^th, 2018. This update adds two vulnerabilities to those previously reported:

• Unrestricted upload of file with dangerous type - CVE-2017-16736 and

• Use after free - CVE-2017-16732