ICS-CERT Publishes 2 Advisory – Updates Spectre Alert

Today the DHS ICS-CERT published two control system security advisories for products from Schweitzer Engineering and Universal Robots. They also updated their alert for Meltdown/Spectre vulnerabilities.

Schweitzer Advisory

This advisory describes three vulnerabilities in the Schweitzer Compass and AcSELerator Architect products. The vulnerabilities were reported by Gjoko Krstic of Applied Risk. The latest versions of the software mitigate the vulnerability. There is no indication that Krstic has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Incorrect default permissions - CVE-2018-10604;

• Improper restriction of XML external entity reference - CVE-2018-10600; and

• Uncontrolled resource consumption - CVE-2018-10608

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit this vulnerability with publicly available exploit code to allow modification/replacement of files within the Compass installation directory, disclosure of information, or denial of service.

Universal Robots Advisory

This advisory describes two vulnerabilities in the Universal Robots Robot Controllers. The vulnerabilities were reported by Davide Quarta, Mario Polino, Marcello Pogliani, and Stefano Zanero from Politecnico di Milano as well as Federico Maggi with Trend Micro Inc. Universal Robots has described generic workarounds to mitigate the vulnerabilities. There is no indication that any of the researchers have been provided with an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Use of hard-coded credentials - CVE-2018-10633; and

• Missing authentication for critical function - CVE-2018-10635

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability to run arbitrary code on the device.

Meltdown/Spectre Update

This update provides additional information on an alert that was originally published on January 11^th, 2018 and updated on January 16^th, 2018, January 17^th, 2018, January 30^th, 2018, February 20^th, 2018, February 22^nd, 2018, March 1^st, 2018 and again on April 26^th, 2018 (typo in ICS-CERT update says 4-27-18). The update provides a link to the new PEPPERL+FUCHS (ecom mobile devices) advisory that I discussed on Saturday.

Public ICS Disclosures – Week of 06-30-18

This week we have four vendor reports of vulnerabilities {Siemens, ABB, and PEPPERL+FUCHS (2)} and exploits for two previously reported vulnerabilities (Cisco and Delta Industrial)

Siemens Advisory

This advisory describes six vulnerabilities in the Siemens SICLOCK TC devices. These vulnerabilities are being self-reported. The products are at end-of-life and thus Siemens is just providing workarounds for these vulnerabilities (and probably explains why they have not reported this to ICS-CERT).

Siemens reports that the vulnerabilities could be exploited by an attacker with network access to the device to allow an attacker to cause Denial-of-Service conditions, bypass the authentication, and modify the firmware of the device or the administrative client.

ABB Advisory

This advisory describes a file parser vulnerability in the ABB Panel Builder 800 products. The vulnerability was reported by Michael DePlante of Leahy Center for Digital Investigation and Michael Flanders of Trend Micro. ABB is working on an update for this product, but has provided workarounds to mitigate the vulnerability.

ABB notes that a social engineering attack is required to exploit the product. A successful exploit would allow the attacker to insert and run arbitrary code on a computer where the affected product is used.

NOTE: There was a second advisory reported on the ABB web site for their Sentinel HASP/LDK License Manager, but the some sort of problem with the link provided.

PEPPERL+FUCHS Advisories

The first advisory addresses the Spectre and Meltdown vulnerabilities in their ecom mobile devices. This is separate from their previously reported Spectre/Meltdown advisory for their HMI products. That other advisory is listed in the most recent ICS-CERT alert update.

The advisory notes that firmware updates will be released for the affected products.

The second advisory describes a remote code execution vulnerability in the PEPPERL+FUCHS HMI products. The vulnerability was reported by Eyal Karni, Yaron Zinar, Roman Blachman @ Preempt, Research Labs. This vulnerability is in a third-party product, Microsoft's Credential Security Support Provider. PEPPERL+FUCHS has provided updates for some of the affected products and recommended using the Microsoft Windows update for the remaining Windows 7 or Windows 10 based systems.

Cisco Exploit

Yassine Aboukir published exploit code on ExploitDB.com for a path traversal vulnerability in the Cisco ASA Software and Cisco Firepower Threat Defense (FTD) Software. This vulnerability was most recently reported by ICS-CERT as a third party vulnerability in the Rockwell Allen-Bradley Stratix 5950.

Delta Industrial Exploit

t4rkd3vilz published exploit code on ExploitDB.com for a stack-based buffer overflow vulnerability in the Delta Industrial Automation COMMGR. This vulnerability was reported by ICS-CERT on June 21^st, 2018.

ICS-CERT Publishes Meltdown Update #2

Today the DHS ICS-CERT published their second update for their control system security alert for the Meltdown and Spectre CPU vulnerabilities. The alert was originally published on January 11^th, 2018 and updated on 1-16-18. The update provides links to three new vendor notification documtents:

• Emerson (account required for login);

• General Electric (account required for login, reference ID 000020832); and

• Schneider Electric: 

The Schneider security notification has probably the most reasonable guidance that I have seen to date:

“Schneider Electric is actively monitoring vendor research into these vulnerabilities to determine appropriate actions to be taken. At the time of this publication, information is being updated rapidly and the impact of proposed mitigations and patches remains unclear. Many of the initial mitigations proposed by hardware and operating system vendors indicate a high level of potential performance impact, Schneider Electric recommends caution if mitigations or patches are applied to critical and/or performance constrained systems. If you elect to apply recommended patches or mitigations in advance of further guidance from Schneider Electric, we strongly recommend evaluating the impact of those measures on a Test & Development environment or an offline infrastructure.”

ICS-CERT Updates Meltdown Alert

Today the DHS ICS-CERT updated their Meltdown/Spectre alert that was originally published on January 11^th. The new information includes links to the following additional vendor reports on the CPU vulnerabilities:

Abbott;

Johnson and Johnson;

OSIsoft;

Philips; and

Smiths Medical

Additionally (and not specifically noted in this update), Becton, Dickinson, and Company have published a new security bulletin since the original ICS-CERT alert mentioned their initial report.

Commentary

Unfortunately, while providing links to the appropriate documents, ICS-CERT has not addressed the issue seen by a number of vendors, the Microsoft update may not be compatible with all control systems. That, plus the fact that Microsoft has decided to not allow the update to take effect on systems without an updated antivirus registry key, means that system owners need to pay real close attention to the final word from their vendors. Unfortunately, the information linked to in this update is mainly preliminary; most of the listed vendors are still looking at the compatibility issues.

Of course, it could be worse. We are still waiting for the initial ICS-CERT alert on the KRACK vulnerability.

ICS-CERT Publishes Alert, 3 Advisories and 1 Update

Yesterday ICS-CERT published an alert for the Intel Meltdown and Spectre vulnerabilities. They published three control system security advisories for products from Phoenix Contact, Moxa, and WECON. They also updated a previously published advisory for products from Advantech.

Meltdown Alert

This alert describes the CPU hardware vulnerable to side-channel attacks vulnerabilities known as  Meltdown and Spectre. The alert provides links to the following vendor notifications about these vulnerabilities:

• ABB;

• Becton, Dickinson and Company (BD); 

• Rockwell Automation (account required for login); and

• Siemens

The alert also provides a generic link to the ICS-CERT recommended practices page. It is disappointing that, in light of the problems seen with the Windows Update for Meltdown seen on some systems (here and here for example), ICS-CERT has not specifically mentioned the need for checking any updates on a test platform before uploading to a live control system.

Phoenix Contact Advisory

This advisory describes two vulnerabilities in the Phoenix Contact FL Switch product line. The vulnerabilities were reported by Ilya Karpov and Evgeniy Druzhinin of Positive Technologies. Newer versions of the firmware mitigate these vulnerabilities. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper authorization - CVE-2017-16743; and

• Information exposure - CVE-2017-16741

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to gain administrative privileges and expose information to unauthenticated users.

Moxa Advisory

This advisory describes an unquoted search path vulnerability in the Moxa MXview network management software. The vulnerability was reported by Karn Ganeshen. Moxa has produced a firmware update that mitigates the vulnerability. There is no indication that Ganeshen was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker with locally authorized access could exploit the vulnerability to escalate privileges by inserting arbitrary code into the unquoted service path.

WECON Advisory

This advisory describes two vulnerabilities in the WECON LeviStudio HMI Editor. The vulnerabilities were reported by Sergey Zelenyuk of RVRT, HanM0u of CloverSec Labs, and Brian Gorenc via the Zero Day Initiative. The latest version of the software mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2017-16739; and

• Heap-based buffer overflow - CVE-2017-16737

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to effect arbitrary code execution.

Advantech Update

This update updates information on an advisory that was originally published on January 4^th, 2018. This update adds two vulnerabilities to those previously reported:

• Unrestricted upload of file with dangerous type - CVE-2017-16736 and

• Use after free - CVE-2017-16732