ICS-CERT Updates 2 Siemens Advisories and Publishes 3 New Advisories

Today the DHS ICS-CERT updated two advisories for Siemens products from earlier this year and then published three new advisories for products from Siemens, Innominate mGuard and Moxa.

SIMATIC HMI Update

This update is for an advisory originally published in April and updated in April and July. This adds additional clarification as to the versions of the previously listed products are affected. Similarly the update provisions have been updated. It also added update instructions for TIA V12 SP1 devices and WinCC V7.2.

SIMATIC STEP 7 TIA Portal Update

This update is for an advisory originally published in February. This adds additional clarification as to the versions of the previously listed products are affected. An update has been added for SIMATIC STEP 7 (TIA Portal) V12 SP1.

Innominate mGuard Advisory

This advisory describes a denial-of-service (DoS) vulnerability in the Innominate mGuard device. This vulnerability has bee self-reported. Innominate has produced a firmware patch to mitigate this vulnerability.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability to cause a temporary DoS condition in the VPN daemon on the device. Innominate reports that a successful authentication via X.509 certificate or PreShared Secret Key is required to exploit the vulnerability.

Siemens SIMATIC S7-1200 Advisory

This advisory describes a cross-site request forgery vulnerability on the Siemens SIMATIC S7-1200. This vulnerability was reported by Ralf Spenneberg, Hendrik Schwartke, and Maik Brüggemann from OpenSource Training. Siemens has produced a firmware update to mitigate the vulnerability. There is no indication that the researchers have been afforded the opportunity to verify the efficacy of the fix.

ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability to perform actions at the level of the victim user.

Siemens reports that there are different firmware updates for Standard CPUs and Fail-safe CPUs.

Moxa Softcms Advisory

This advisory describes two different types of buffer overflow vulnerabilities in the Moxa Softcms software package. The vulnerabilities were reported by Carsten Eiram of Risk Based Security and Fritz Sands. The HP Zero Day Initiative coordinated the disclosures on these vulnerabilities. Moxa has released a new version of the software to mitigate these 9 separate vulnerabilities. There is no indication that the researchers have been given the opportunity to verify the efficacy of the fix.

ICS-CERT reports that a moderately skilled attacker could remotely exploit these vulnerabilities to allow remote code execution.

BTW – ICS-CERT has included a formal note on their landing page that they have updated their PGP public key and they have corrected the bad link that I identified in my blog post Tuesday.

ICS-CERT Publishes Repetitive Hart DTM Advisory

Today the DHS ICS-CERT published another advisory for the CodeWrights Hart-DTM vulnerability that was originally reported in January. This time it was for a large number of devices from Endress+Hauser. Interestingly Endress+Hauser had already been added to the latest version of the CodeWrights version (C) of the advisory published in February.

The only new information in this advisory in this new advisory is the extensive list of E+H affected products and the fact that E+H had finally gotten around to updating the version of the CodeWrights library that they were using.

Nothing to see here move along.

Oh wait. There was an interesting tweet from ICS-CERT this afternoon before they announced the new advisory. It seems that they have recently updated/revised/whatever their public PGP key for secure submission to ICS-CERT. This is certainly important news. Fortunately they tweeted it because there is nothing on their web page that indicates that the key had been changed.

Instead of providing a direct link to the PGP key they send you to the main landing page. To find the link to the key you have to scroll all the way to the bottom of the page and click on “Download PGP/GPG keys”. This is NOT a download link but a link to the page where you can copy the PGP key.

I got there by a slightly more circuitous route starting with clicking on the “Report an Incident” button near the top of the same page. That page provides some interesting information on reporting stuff to ICS-CERT and is good to know. Near the bottom of the page it says:

“Organizations can download our PGP key at https://ics-cert.us-cert.gov/sites/default/files/documents/ICS-CERT.asc”

Don’t waste your time clicking on that link unless you want to see the ICS-CERT 404 page; nothing special there. Fortunately there is the same “Download PGP/GPG keys” link on the bottom of this page to take you to the real PGP key.

At least I think this is the new key. Nothing on the web site mentions that the key has been changed. This is getting to be a real problem on the ICS-CERT web site. There is no way to tell if something is new or old.