Public ICS Disclosures – Week of 06-23-18

This week we have a vendor advisory and two updates of previously issued advisories from Siemens. Additionally, OSIsoft released a new version of their PI SDK 2018 that, according to the release notes, addresses (among other issues) “potential security issues in PI SDK code as identified by Synopsis Static Analysis (Coverity)”.

Siemens Advisory

This advisory describes “service of the affected products listening on all of the host’s network interfaces on either port 4884/TCP, 5885/TCP, or port 5886/TCP could allow an attacker to either exfiltrate limited data from the system or to execute code with Microsoft Windows user permissions”. The vulnerability was reported by Chris Bellows and HD Moore from Atredis Partners and Austin Scott from San Diego Gas and Electric. Siemens has provided new versions for some of the affected products to mitigate the vulnerability and identified work arounds for others. There is no indication that any of the researchers have been provided an opportunity to verify the efficacy of the fix.

RAPIDLab Update

This update provides new information on two vulnerabilities that was previously reported by Siemens on June 12^th, 2018. The new information is an acknowledgement that the vulnerabilities were reported by Oran Avraham from MEDIGATE. This advisory has not been reported by ICS-CERT.

Spectre and Meltdown Update

This update provides new information on the Spectre and Meltdown vulnerabilities in Industrial Products that was last updated on May 29^th,  2018. The new information provides new version and mitigation information for HMI Panels with SIMATIC WinCC V14.

Commentary

You have to give OSIsoft credit for turning to an outside agency (Coverity) to have static code analysis done on their product. This independent evaluation is an example of going the extra mile in secure code development. What is not clear, however, from the release notes on this product is whether or not the code issues being corrected existed in the earlier versions of the development kit.

If the corrected vulnerabilities were in earlier versions, I would have preferred to see an enumeration of those vulnerabilities in a security advisory so that users could conduct a proper risk assessment to see if their situation necessitated an immediate upgrade to this newer version. OSIsoft has a strong history of identifying and correcting security issues, so I suspect that they felt that either the vulnerabilities were related just to new code or that they vulnerabilities in the previous code were so minor as to not require specific notification.

ICS-CERT Publishes 2 Advisories and 1 Update

Today the DHS ICS-CERT published a control system security advisory for products from ABB and a medical device security advisory for products from Philips. They also updated a medical device security advisory for products from Silex.

ABB Advisory

This advisory describes three vulnerabilities in the ABB IP Gateway. The vulnerabilities were reported by Maxim Rupp. ABB has a new version that mitigates the vulnerabilities. There is no indication that Rupp has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Improper authentication - CVE-2017-7931;

• Cross-site request forgery - CVE-2017-7906; and

• Unprotected storage of credentials - CVE-2017-7933

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to perform actions using administrative privileges.

NOTE: I reported these vulnerabilities nearly three weeks ago when ABB published their advisory.

Philips Advisory

This advisory describes three vulnerabilities in the Philips IntelliVue Patient Monitors and Avalon Fetal/Maternal Monitors. These vulnerabilities were reported by Oran Avraham of Medigate. Philips has provided mitigation suggestions to use until an update becomes available. There is no indication that Avraham has been provided an opportunity to verify the efficacy of the interim measures.

The three reported vulnerabilities are:

• Improper authentication - CVE-2018-10597;

• Information exposure - CVE-2018-10599; and

• Stack-based buffer overflow - CVE-2018-10601

ICS-CERT reports that a highly-skilled attacker on the same local device subnet could exploit these vulnerabilities to read/write memory, and/or induce a denial of service through a system restart, thus potentially leading to a delay in diagnosis and treatment of patients.

NOTE: These vulnerabilities have not been reported on the FDA Medical Device Safety Communications page.

Silex Update

This update provides new information on an advisory that was originally reported on May 8^th, 2018 and updated on May 31^st, 2018. The update provides a link to a firmware update for SD-320AN (separate from GEH-SD-320AN) and a link to GE security information about the vulnerability.