Friday, February 2, 2018

ICS-CERT Publishes 3 Advisories and 1 Update


Yesterday the DHS ICS-CERT published three control system security advisories for products from Gemalto, Smart Software Solutions (3S), and Fuji Electric. They also updated a previously published control system security advisory for products from NXP Semiconductor.

Gemalto Advisory


This advisory describes multiple vulnerabilities in the Gemalto Sentinel License Manager. The vulnerabilities were reported by Kaspersky Labs. The latest version of the software mitigates the vulnerability. There is no indication that Kaspersky Labs has been provided an opportunity to verify the efficacy of the fix.

The seven reported vulnerabilities are:

• Null pointer dereference - CVE-2017-11498;
• Stack-based buffer overflow (4) - CVE-2017-11497, CVE-2017-11496, CVE-2017-12818 and CVE-2017-12821;
• Heap-based buffer overflow - CVE-2017-12820; and
Improper access control - CVE-2017-12822

NOTE: This is essentially the same vulnerability that I have discussed previously (here and here). The Kaspersky article on this problem actually list 14 vulnerabilities not the seven being reported here. I mentioned earlier that there may be as many as 40,000 products (not all being ICS, obviously) being affected by this issue. If the Gemalto dongle is clearly identified as being a ‘Sentinel License Manager’, then this advisory is clearly a much more effective means of addressing the issue rather than issuing advisories on each of the affected product lines. If the using vendors, however, have relabeled their dongles, then this advisory will not be effective in those cases. But that is not ICS-CERT’s fault.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities and that could lead to remote code execution or cause a denial-of-service condition, rendering the Sentinel LDK License Manager service unavailable (and the supported product also being unavailable).

3S Advisory


This advisory describes a stack-based buffer overflow in the 3S CODESYS Web Server. The vulnerability was reported by Zhu WenZhe of Istury IOT security lab. 3S has released a security patch to mitigate this vulnerability. There is no indication that Zhu was provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability causing the device to crash, resulting in a buffer overflow condition that may allow remote code execution.

Fuji Advisory


This advisory describes a stack-based buffer overflow vulnerability in the Fuji V-Server VPR. The vulnerability was reported by Ariele Caltabiano (kimiya) via the Zero Day Intitiative. Fuji has produced a new firmware version that mitigates the vulnerability. There is no indication that Caltabiano has been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that a relatively low-skilled attacker could remotely exploit the vulnerability  to view sensitive information and disrupt the availability of the device.


NXP Update


This update provides new information for an advisory that was originally published on October 12th, 2017. The update provides links to the new version of the single remaining product that was not previously fixed.

No comments:

 
/* Use this with templates/template-twocol.html */