Friday, June 23, 2017

ICS-CERT Publishes Two Siemens Advisories

Yesterday the DHS ICS-CERT published two control system security advisories for two products from Siemens.

XHQ Advisory


This advisory describes an improper access control vulnerability in the Siemens XHQ operations intelligence product. This vulnerability is being self-reported. Siemens has developed a new version that mitigates the vulnerability.

ICS-CERT reports that a relatively low skilled attacker (who is an authorized user) could remotely exploit the vulnerability to gain read access to data in the XHQ solution exceeding his configured permission level.

SIMATIC CP 44x-1 Advisory


This advisory describes an improper authentication vulnerability in the Siemens SIMATIC CP 44x-1 Redundant Network Access (RNA) modules. This vulnerability is being self-reported. Siemens has released a firmware update to mitigate the vulnerability.

ICS-CERT reports that a relatively low skilled attacker could remotely exploit the vulnerability to perform administrative actions under certain conditions. The Siemens’ Security Advisory reports that the attacker must have network access to port 102/TCP of the affected device and the

configuration data of the CP must be stored on the CPU.

No comments:

 
/* Use this with templates/template-twocol.html */