Friday, December 23, 2016

ICS-CERT Publishes Two Advisories and Updates Five

Yesterday the DHS ICS-CERT published two control system security advisories for products from Wago and Fidelix. It also published updates for previously issued advisories for products from Moxa (2), iRZ, Resource Data Management, Environmental Systems and Siemens.

Wago Advisory


This advisory describes an authentication bypass vulnerability in the WAGO Ethernet Web-based Management products. The vulnerability was reported by Maxim Rupp. WAGO has produced a firmware update and workarounds to mitigate the vulnerability. There is no indication that Rupp has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled hacker could remotely exploit this vulnerability to view and edit settings without authenticating.

Fidelix Advisory


This advisory describes a path traversal vulnerability in the Fidelix FX-20 series controllers. The vulnerability was reported by Semen Rozhkov of Kaspersky Lab. Fidelix has produced a new software version that mitigates the vulnerability. There is no indication that Rozhkov has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit this vulnerability  to read data from the device.

Moxa EDR-G903 Update  


This update provides additional information on an advisory that was originally published on May 17th, 2016.  It changes the name of one of the vulnerabilities from ‘memory leak’ to ‘information exposure’. On the unauthenticated download vulnerability, the CVE vector string has a change in the ‘A’ component at the end from ‘H’ to ‘N’.

iRZ Update


This update provides additional information on an advisory that was originally published on May 17th, 2016. It changes the CVSS v3 base score from 6.1 to 7.2 and changes two components of the CVE vector string; ‘UI’ from ‘R’ to ‘N’ and ‘C’ from ‘N’ to ‘H’.

Resource Data Management Update


This update provides additional information on an advisory that was originally published on May 19th, 2016. It changes the CVSS v3 base score on the cross-site request forgery vulnerability from 6.5 to 8.0 and changes three components of the CVE vector string for the same vulnerability; ‘UI’ from ‘N’ to ‘R’, ‘C’ from ‘N’ to ‘H’, and ‘I’ from ‘N’ to ‘H’.

Moxa MiiNePort Update


This update provides additional information on an advisory that was originally published on May 24th, 2016. It changes the CVSS v3 base score on the cross-site request forgery vulnerability from 6.1 to 9.6 and changes three components of the CVE vector string for the same vulnerability; ‘UI’ from ‘R’ to ‘N’, ‘C’ from ‘L’ to ‘H’, and ‘I’ from ‘N’ to ‘H’.

Environmental Systems Update


This update provides additional information on an advisory that was originally published on May 26th, 2016, and then updated on June 2nd, 2016. It changes the CVSS v3 base score on the authentication bypass vulnerability from 7.5 to 9.1.

Siemens Update


This update provides additional information on an advisory that was originally published on November 8th, 2016 and then updated on November 22nd, 2016. It updates both the affected version and mitigation information for SIMIT V9.0 SP1 and SecurityConfiguration Tool (SCT) V4.3 HF1. Siemens has updated their security advisory and reported this update via a tweet on Wednesday.

Commentary


This cluster of incorrect CVE v3 base scores and vector strings from May of this year is interesting. As of this date it does not apparently affect all the advisories produced during that period and only affects one of the reported vulnerabilities in multiple vulnerability advisories. This would seem to indicate that it was not a systemic problem, but rather human error. While we would like to think that the folks at ICS-CERT were perfect, alas they are only human.


I am impressed with the four updates addressing these CVE related errors. I’m not sure what instigated the review of these advisories, but their publication does demonstrate a high level of integrity and attention to detail. ICS-CERT is to be commended on publishing them.

No comments:

 
/* Use this with templates/template-twocol.html */