Tuesday, July 25, 2017

ICS-CERT Published an Alert, an Advisory and 4 Updates

Today the DHS ICS-CERT published a control system security alert for the CRASHOVERRIDE malware and a control system security advisory for products from NXP. The NXP advisory was previously published on the NCCIC Portal on June 1st, 2017. ICS-CERT also updated four previously issued control system advisories for products from Siemens (3) and GE.

CRASHOVERRIDE Alert


This alert briefly describes the CRASHOVERRIDE malware. This malware was previously identified by ESET (on June 12th), Dragos (on June 12th) and US CERT (on June 12th) which ICS-CERT fully credits. All three reports provide much more information than does the ICS-CERT Alert. ICS-CERT has provided a different set of YARA rules for the detection of the malware than those previously published by Dragos. The ICS-CERT rules appear to target different portions of the malware.

NXP Advisory


This advisory describes two vulnerabilities in the NXP i.MX Devices, used on logic boards. The vulnerabilities were reported by Quarkslab. These are hardware vulnerabilities that generally cannot be corrected by a software fix. ICS-CERT notes that the vulnerabilities “are only exploitable when the device is placed in security enabled mode”.

The two reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2017-7936; and
• Improper certificate validation - CVE-2017-7932

ICS-CERT reports that a successful attack (by an uncharacterized attacker with uncharacterized access) could exploit the vulnerability to create a denial of service attack or to load an unauthorized image on the device affecting secure boot.

NOTE: These are not stand-alone devices, they are chip sets found on circuit boards on unnamed devices from unnamed supplier. Hopefully one (or more) of those downstream suppliers will develop a successful mitigation for this problem on their devices. But, it has been almost two months since notification was made to those vendors….

S7-300 Update


This update provides new information on an advisory that was originally published on December 13th, 2016 and then updated on May 9th, 2017. The update provides a link to a firmware update for the  S7-CPU 410 CPUs.

GE Update


This update provides new information on an advisory that was originally published on April 27th, 2017, and updated on May 18th, 2017. The new update identifies 8 legacy products that are affected by the vulnerability. It also provides links to previously identified firmware versions and newly mitigated products, including the newly identified legacy products. The firmware update for the URplus platform is still expected to be released this month.

PROFINET 1 update


This update provides new information on an advisory that was originally published on May 9th, 2017 and updated on June 15th, 2017, on June 20th, 2017, and again on July 6th, 2017. The update provides updated version information and mitigation information for the SINEMA Server: All versions < V14.


PROFINET 2 update


This update provides new information on an advisory that was originally published on May 9th, 2017 and updated on June 15, 2017. The update provides new affected version information and mitigation links for:

• SCALANCE XM400, XR500: All versions prior to V6.1;
• S7-400 PN/DP V6 Incl. F: All versions;
• S7-400-H V6: All versions prior to V6.0.7;
• S7-400 PN/DP V7 Incl. F: All versions;
• S7-410: All versions prior to V8.2;
• SINAMICS S110 w. PN: All versions prior to V4.4 SP3 HF5;
• SINAMICS S120 V4.7: All versions prior to V4.7 H27; and

• SINAMICS V90 w. PN: All versions prior to V1.1

No comments:

 
/* Use this with templates/template-twocol.html */