Zero-Day Flaws Found, Patched In Siemens Switches

[InfoSec News <alerts () infosecnews org>]

http://www.darkreading.com/vulnerability/zero-day-flaws-found-patched-in-siemens/240165252

By Kelly Jackson Higgins
Dark Reading
January 09, 2014

A security researcher has discovered a pair of zero-day vulnerabilities in 
a popular family of Siemens industrial control system switches that could 
allow an attacker to take over the network devices without a password.

Eireann Leverett, senior security consultant for IOActive, next week at 
the S4 ICS/SCADA conference in Miami will release his proof-of-concept 
code for users of the SCALANCE X-200 Switch family to test the flaws in 
their industrial control systems (ICS) environments. The researcher found 
the bugs a few months ago and reported them to Siemens, which last fall 
issued patches for the flaws -- within three months of being notified.

Whether ICS/SCADA customers will actually apply the patches or just how 
quickly they will do so is the big question. The aftermath of Stuxnet has 
pressured some major ICS vendors like Siemens to regularly respond to 
vulnerability discoveries in their products with patches and updates to 
their software. But their customers -- utilities and other process control 
operators -- don't routinely apply those patches. Overall, only 10 to 20 
percent of organizations do so, mainly because they face the risk of a 
power or plant operation disruption caused by a newly patched system.

Leverett says releasing his PoC code is all about giving Siemens customers 
a chance to test what the newly discovered vulnerabilities could do. Many 
vulnerability and patch reports don't include enough specifics about the 
potential implications of the flaws, he says. "My personal goal is to make 
sure asset owners have a chance to say, 'How bad is it? What can I do with 
it?''

[...]



--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/