Friday, January 12, 2018

ICS-CERT Publishes Alert, 3 Advisories and 1 Update

Yesterday ICS-CERT published an alert for the Intel Meltdown and Spectre vulnerabilities. They published three control system security advisories for products from Phoenix Contact, Moxa, and WECON. They also updated a previously published advisory for products from Advantech.

Meltdown Alert


This alert describes the CPU hardware vulnerable to side-channel attacks vulnerabilities known as  Meltdown and Spectre. The alert provides links to the following vendor notifications about these vulnerabilities:

ABB;
Rockwell Automation (account required for login); and
Siemens

The alert also provides a generic link to the ICS-CERT recommended practices page. It is disappointing that, in light of the problems seen with the Windows Update for Meltdown seen on some systems (here and here for example), ICS-CERT has not specifically mentioned the need for checking any updates on a test platform before uploading to a live control system.

Phoenix Contact Advisory


This advisory describes two vulnerabilities in the Phoenix Contact FL Switch product line. The vulnerabilities were reported by Ilya Karpov and Evgeniy Druzhinin of Positive Technologies. Newer versions of the firmware mitigate these vulnerabilities. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper authorization - CVE-2017-16743; and
• Information exposure - CVE-2017-16741

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to gain administrative privileges and expose information to unauthenticated users.

Moxa Advisory


This advisory describes an unquoted search path vulnerability in the Moxa MXview network management software. The vulnerability was reported by Karn Ganeshen. Moxa has produced a firmware update that mitigates the vulnerability. There is no indication that Ganeshen was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker with locally authorized access could exploit the vulnerability to escalate privileges by inserting arbitrary code into the unquoted service path.

WECON Advisory


This advisory describes two vulnerabilities in the WECON LeviStudio HMI Editor. The vulnerabilities were reported by Sergey Zelenyuk of RVRT, HanM0u of CloverSec Labs, and Brian Gorenc via the Zero Day Initiative. The latest version of the software mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2017-16739; and
• Heap-based buffer overflow - CVE-2017-16737

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to effect arbitrary code execution.

Advantech Update


This update updates information on an advisory that was originally published on January 4th, 2018. This update adds two vulnerabilities to those previously reported:

• Unrestricted upload of file with dangerous type - CVE-2017-16736 and

• Use after free - CVE-2017-16732

No comments:

 
/* Use this with templates/template-twocol.html */