ICS-CERT Publishes 3 Advisories

Today the DHS ICS-CERT published three control system security advisories for products from Siemens (2) and Schneider.

Siemens Viewport Advisory

This advisory describes an improper authentication vulnerability in the Siemens Viewport for Web Office Portal. The vulnerability was reported by Hannes Trunde from Kapsch BusinessCom AG. Siemens has developed a new version that mitigates the vulnerability. There is no indication that Trunde has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to upload and execute arbitrary code. The Siemens security advisory reports that the attacker must have network access to the web server on port 443/TCP or port 80/TCP of the affected product.

Schneider Advisory

This advisory describes a number of vulnerabilities in the Schneider U.motion Builder. The vulnerabilities were reported by rgod via the Zero Day Initiative and were publicly disclosed on 6-12-17 on the ZDI site (ZDI-17-372 thru ZDI-17-392). Schneider has a firmware patch scheduled in August to mitigate these vulnerabilities.

The reported vulnerabilities include (there were 22 vulnerabilities identified on the ZDI site):

• SQL injection - CVE-2017-7973;

• Path Traversal - CVE-2017-7974;

• Improper authentication - CVE-2017-9956;

• Use of hard-coded password - CVE-2017-9957;

• Improper access control - CVE-2017-9958;

• Denial of service - CVE-2017-9959;

• Information exposure through an error message - CVE-2017-9960

ICS-CERT reports that a relatively low skilled attacker could use publicly available exploits to remotely exploit these vulnerabilities to execute arbitrary commands or compromise the confidentiality, integrity, and availability of the system. The Schneider Security Advisory provides a number of generic mitigation measures that should be employed until the patch is applied.

Siemens SIMATIC Advisory

This advisory describes a permissions, privileges, and access controls vulnerability in various Siemens industrial products. The vulnerability actually exists in the Intel processors used in these products. The vulnerability was reported by Maksim Malyutin from Embedi to Intel. Siemens has produced updates to a number of industrial product PCs and continues to work on the remainder.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to gain system privileges. The Siemens Security Advisory provides a detailed (2-page) list of vulnerable products.

NOTE: The Intel chipsets are almost certainly used in a wide variety of other ICS related PCs. I would like to assume that Intel has talked to other potentially affected vendors about this issue and that we can expect to see other similar announcements from other vendors.