Thursday, February 23, 2017

ICS-CERT Publishes Three Advisories

Today the DHS ICS-CERT published three control system security advisories for products from Schneider Electric, Red Lion Controls and VIPA Controls.

Schneider Advisory


This advisory describes a resource exhaustion vulnerability in the Schneider Electric Modicon M340 PLC. The vulnerability was reported by Luis Francisco Martin Liras. Schneider has released a new firmware version that mitigates the vulnerability. There is no indication that Liras has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to render the device unresponsive requiring a physical reset of the PLC.

Red Lion Controls Advisory


This advisory describes a hard-coded cryptographic key vulnerability in the Red Lion Controls Sixnet-Managed Industrial Switches and the AutomationDirect STRIDE-Managed Ethernet Switch models. The vulnerability was reported by Mark Cross of RIoT Solutions. New firmware versions have been made available for both sets of devices. There is no indication that Cross has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to effect the loss of data confidentiality, integrity, and availability.

VIPA Controls Advisory


This advisory describes a stack-based buffer overflow vulnerability in the VIPA Controls WinPLC7. The vulnerability was reported by Ariele Caltabiano (kimiya) through ZDI. VIPA Controls has developed a patch to mitigate the vulnerability. There is no indication that kimiya has been provided the opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively unskilled attacker could remotely exploit the vulnerability to crash the device; a buffer overflow condition may allow remote code execution.


NOTE: Yesterday Siemens announced on TWITTER® the publication of two security notification updates (here and here) and the publication of a new security notification (here). I had almost expected ICS-CERT to publish their updates and advisory today; maybe tomorrow.

No comments:

 
/* Use this with templates/template-twocol.html */