ICS-CERT Publishes Advisory and Updates Another

Today the DHS ICS-CERT published a new control system security advisory for products from Rockwell. They also updated another control system security advisory for products from Siemens. The Rockwell advisory was originally published in the NCCIC Portal on May 18, 2017.

Rockwell Advisory

This advisory describes an improper input validation vulnerability in the Rockwell MicroLogix 1100 Controllers. The vulnerability was reported by Mark Gondree of Sonoma State University, Francisco Tacliad and Thuy Nguyen of the Naval Postgraduate School. Rockwell has a newer firmware version that mitigates the vulnerability. There is no indication that any of the researchers have been provided an opportunity to verify the efficacy of the fix.

ICS-CERT does not provide any information on skill level or type access required to exploit this vulnerability. They just note that a successful exploit could lead to a denial of service condition.

Siemens Update

This update provides additional information on an advisory that was originally published on July 6^th, 2017. The new information included updated version information for:

• Firmware variant Modbus TCP: All versions prior to V1.10.01,

• Firmware variant DNP3 TCP: All versions prior to V1.03, and

• SIPROTEC 7SJ66: All versions prior to V4.23

• SIPROTEC 7SJ686: All versions prior to V4.86

• SIPROTEC 7UT686: All versions prior to V4.01

• SIPROTEC 7SD686: All versions prior to V4.04

The only change seen in the security reporting from Siemens was affected version information and the update link for DNP3 TCP. The other updated version information was provided in the ‘Mitigation’ section of the earlier ICS-CERT version of the advisory, but not in the ‘Affected Products’ section.

Commentary

I have not done an actual tally to confirm this, but it seems to me that we see a much higher percentage of Rockwell product advisories making it to the NCCIC (or the old US-CERT) secure portal before being publicly disclosed than we do for Siemens products. Since it is not clear how this decision is made for limited disclosure, it would be unfair to say something untoward was happening; but, it does seem odd.

If the decisions are made based upon company requests for the delay, then this is a marketing call by the respective companies with no foul noted. If the decision is being made just by ICS-CERT, then the community probably deserves some process explication.