ICS-CERT Publishes 3 Advisories

Today the DHS ICS-CERT published three control system security advisories for products from Trihedral and OSIsoft. ICS-CERT continues to have problems with Siemens security advisories and updates.

PI Web API Advisory

This advisory describes cross-site request forgery vulnerability in the OSIsoft Web API. The vulnerability is self-reported. OSIsoft has produced an upgraded version and provides additional mitigation measures.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit this vulnerability to access the PI System with the privileges of a legitimate client user (write data).

PI Server Advisory

This advisory describes two improper authentication vulnerabilities in the OSIsoft PI Server. The vulnerability is self-reported. A new version (not currently available) has been developed that mitigates the vulnerability.

ICS-CERT reports that an (uncharacterized skill level) attacker could remotely exploit the vulnerability to spoof a PI Server or cause undefined behavior within the PI Network Manager.

Trihedral Advisory

This advisory describes three vulnerabilities in the Trihedral VTScada product. Karn Ganeshen reported the vulnerability. Trihedral has developed a patch to mitigate the vulnerability. ICS-CERT reports that Ganeshen has verified the efficacy of the fix.

The three reported vulnerabilities are:

• Uncontrolled resource consumption - CVE-2017-6043;

• Cross-site scripting - CVE-2017-6053; and

• Information exposure - CVE-2017-6045

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to result in uncontrolled resource consumption, arbitrary code execution, or information exposure.

NOTE: the VTScada upgrade notes report that “VTScada logo images are now protected by a checksum. VTScada will not start if these files have been removed or modified. If you wish to create a custom-branded application, contact Trihedral Engineering for licensing.” So it is possible that a facility is using a vulnerable system and not know it.

Missing Siemens Advisories and Updates

In addition to the five Siemens’ WannaCry updates I mentioned yesterday, there are six recently reported Siemens’ advisories and updates published that have not been reported by ICS-CERT. They are:

SSA-275839: Denial-of-Service Vulnerability in Industrial Products", June 7^th;

SSA-946325: Vulnerabilities in SICAM PAS, June 9^th;

SSA-732541: Denial-of-Service Vulnerability in SIPROTEC 4, June 12^th;

SSA-293562: Vulnerabilities in Industrial Products, June 13^th;

SSA-623229: DROWN Vulnerability in Industrial Products, June 13^th; and

SSA-931064: Authentication Bypass in SIMATIC Logon, June 13^th

To be fair it is probably too soon to be concerned about the last four, but the other 7 missing Siemens reportings are definite of concern.

As always thanks to the Siemens @ProductCERT for their tweets about security updates on their products.