Friday, April 14, 2017

ICS-CERT Publishes Two Advisories

Yesterday the DHS ICS-CERT published two control system security advisories for products from Schneider Electric and Wecon Technologies.

Schneider Advisory


This advisory describes two vulnerabilities in the Schneider Modicon M221 PLCs and SoMachine Basic. The vulnerabilities were reported by Simon Heming, Maik Brüggemann, Hendrik Schwartke, and Ralf Spenneberg of Open Source Security. Schneider has announced an encryption work around and that they will introduce a new version of SoMachine Basic in June.

The two reported vulnerabilities are:

• Use of Hard-Coded Cryptographic Key – CVE-2017-7574; and
• Protection Mechanism Failure – CVE-2017-7575

ICS-CERT reports that a relatively low skilled attacker could remotely exploit these vulnerabilities using a publicly available exploit to extract a protected project file from the controller to obtain sensitive project information, or allow a user with access to a protected project file to decrypt it in order to obtain sensitive information without authorization.

Interestingly, the Schneider security notification only addresses the vulnerability in their SoMachine Basic; ignoring the vulnerability in their Modicon M221 PLCs. Could that vulnerability be a ‘design feature’?

NOTE: These are the vulnerabilities that I reported on last weekend. OpenSource published the vulnerabilities on their web site (here and here) a week ago last Tuesday.

Wecon Advisory


This advisory describes two buffer overflow vulnerabilities in the Wecon LEVI Studio HMI Editor. The vulnerabilities were reported by Andrea (rgod) Micalizzi, working with iDefense Labs. Wecon has developed a new version that mitigates the vulnerabilities. There is no indication that rgod has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Heap-based buffer overflow – CVE-2017-6037; and
• Stack-based buffer overflow – CVE-2017-6035


ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to cause the device to become unresponsive; a buffer overflow condition may allow remote code execution.

No comments:

 
/* Use this with templates/template-twocol.html */