SPRECON-V: partly affected

We can confirm that the following updates resolve several issues, caused by the Microsoft Security Update at the beginning of the year 2018.

• KB4074594 resolves KB4056898 - Windows 8.1. for x64-based Systems

• KB4074594 resolves KB4056895 and KB4056898 - Windows 8.1 and Windows Server 2012 R2 Standard

• KB4074592 resolves KB4056891 - Windows 10 Version 1703 for x64-based Systems

• KB4074596 resolves KB4056893 - Windows 10 Version 1507 for x64-based Systems

• KB4074590 resolves KB4056890 - Windows Server 2016 and Windows 10 Version 1607

• KB4074593 resolves KB4056896 - Windows Server 2012 Standard

• KB4074598 resolves KB4056894 - Windows 7 and Windows Server 2008 R2

As already published in public media, several CPU chips from renowned manufacturers (Intel, AMD, etc.) are affected. Meltdown and Spectre use vulnerabilities such as faulty kernel-mappings in order to read arbitrary data from memory and disclose sensitive information.
A potential attacker would need to download malicious software to the system, execute it, and extract the results in order to use these attacks.

As SPRECON-V can be applied on various computer hardware, it depends on the used hardware wether the proper installation is affected or not. For complete mitigation, operation system patches will need to be applied as soon as they can be installed without problems.

At the moment, it has been recognized that several Microsoft Windows patches lead to problems. It is not recommended to apply these patches directly to the operational system. In case they shall be applied, it is recommended to first create a backup of the systems, and first apply the patches to an equivalent test system and check the functionality after patching. Alternative countermeasures as below can be applied.

Additional analysis is currently being done. As soon as Microsoft Windows patches can be installed, hence are appoved by Sprecher Automation, this information will be shared.

        
Affected Products:

• SPRECON-V460 if operated on affected hardware:
  Intel, AMD, ARM
  https://www.heise.de/newsticker/meldung/Prozessor-Luecken-Meltdown-und-Spectre-Intel-und-ARM-fuehren-betroffene-Prozessoren-auf-Nvidia-3934667.html
  https://www.cvedetails.com/cve-details.php?cve_id=CVE-2017-5754

Countermeasures:

• Technical/operational networks must be isolated from public networks
• All communication means that lead into an operational network need to be monitored
• HMI-stations within operational networks / stations should be additionally hardened (application whitelisting and/or antivirus software)
• Enforcement of security monitoring in all areas and networks in order to detect anomalies
• Strictly apply defence-in-depth in your networks
• Chip and operating system manufacturers already work towards possible patches
• Recommendations of respective manufacturers can be considered to be implemented in the affected stations
  
  Microsoft offers tools in order to prove if the hardware is affected:
  https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in

• Meltdown and Spectre,
  http://meltdownattack.com
  
  Google Security Blog,
  https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html
  
  COPADATA
  https://www.copadata.com/en/news/news/security-announcement-6943/

SPRECON-E: not affected
SPRECON-V: not affected

A remote user can send specially crafted XML packets to the target webvpn-configured interface to trigger a double-free memory error in the SSL VPN function and execute arbitrary code on the target system.

Systems with the webvpn feature enabled are affected.

        
Affected Products:

The following models are affected:

• 3000 Series Industrial Security Appliance (ISA)
• 5500 Series Adaptive Security Appliances
• 5500-X Series Next-Generation Firewalls
• ASA Services Module for Catalyst 6500 Series Switches and 7600 Series Routers
• 1000V Cloud Firewall
• Adaptive Security Virtual Appliance (ASAv)
  
  Several Firepower series devices are also affected.
  
  

Countermeasures:

• The vendor has issued a fix (see link below).

• https://securitytracker.com/id/1040292
  
  
• https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180129-asa1

SPRECON-E: not affected
SPRECON-V: not affected

A remote user can send specially crafted IPv6 packets with a fragment header extension to or through the target Trident-based line card to cause the line card to reload.

Systems with Trident-based line cards that have IPv6 configured are affected.

Affected Products:

Trident-Based Line Cards:

• A9K-40GE-L
• A9K-40GE-B
• A9K-40GE-E
• A9K-4T-L
• A9K-4T-B
• A9K-4T-E
• A9K-8T/4-L
• A9K-8T/4-B
• A9K-8T/4-E
• A9K-2T20GE-L
• A9K-2T20GE-B
• A9K-2T20GE-E
• A9K-8T-L
• A9K-8T-B
• A9K-8T-E
• A9K-16/8T-B
  
  

Countermeasures:

• The vendor has issued a fix (Service Pack 7 for Cisco IOS XR Software Release 5.3.4).
  
  

• https://securitytracker.com/id/1040315

SPRECON-E: partly affected

As already published in public media, several CPU chips from renowned manufacturers (Intel, AMD, etc.) are affected. One of these affected products is used within SPRECON-E Falcon CPUs (PU244x) on ARM basis. Other SPRECON-E products respectively CPU families are not affected. However, the resulting risk is marginal for SPRECON devices.

Followingly the facts about this:        

• Meltdown is not relevant to ARM chips, hence, no risk from this attack
• Regarding Spectre, the variants 1 and 2 according to ^[1] are relevant. Hence, CVE-2017-5753 and CVE-2017-5715.
• in order to exploit these vulnerabilities, a potential attacker would need to download malicious software to the device, execute it, and extract the results. Theoretically, this could lead to disclosure of sensitive data, which would compromise the confidentiality of data, but not directly compromise integrity or availability of the device.
• However, SPRECON realizes a strict defence-in-depth strategy. This means, that there is no way to download arbitrary data on the device and execute downloaded code. Every means to download data onto the device is limited to authentic configuration data within the available engineering-worklfow on SPRECON. Hence, the risk from this vulnerability is minimal.

^[1] https://developer.arm.com/support/security-update

Affected Products:

• SPRECON-E-C respectively SPRECON-E-P with CPU PU244x
  
  

• There is no need for action regarding the attacks Meltdown and Spectre.

SPRECON-E: not affected
SPRECON-V: not affected

The company Meinberg informed about multiple vulnerabilities in its devices' web-userinterface as well as the NTP key generation. For details see the appropriate CVE codes, as well as http://www.ids.de/it-security/it-security-bulletin.html.

• Due to a wrong configuration in the Webserver Access Control List, an unauthenticated attacker is able to read arbitrary files.

• Error in restricted URL-access: specifically drafted HTTP/HTTPS queries allowed an unauthenticated attacker to read statistical data and grafics.

• Arbitrary file-upload: an authenticated directory-traversal attack allowed to upload arbitrary files due to missing validations.

• Error in NTP key generation: older versions of LTOS6-firmware erroneously handles NTP key generation, which enabled the usage of old keys after new keys have been generated.

        
Affected Products:

LTOS6-Firmware-Versionen before 6.24.004, which are used in LANTIME M-Series (M100, M200, M300, M400, M600, M900) as well as all devices of IMS-Series (M500, M1000, M1000S, M3000, M3000S, M4000) as well as SyncFire-Products (SF1000 / SF1100).

Countermeasures:

Meinberg already released firmware version 6.24.004 where these vulnerabilities are fixed. Customers of Meinberg can download it via  https://www.meinberg.de/german/sw/firmware.htm

SPRECON-E: not affected
SPRECON-V: not affected

A vulnerability in the implementation of the direct authentication feature in Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause an affected device to unexpectedly reload, resulting in a denial of service (DoS) condition.

The vulnerability is due to incomplete input validation of the HTTP header. An attacker could exploit this vulnerability by sending a crafted HTTP request to the local IP address of an affected device. A successful exploit could allow the attacker to cause the affected device to reload.

Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects systems that have the direct authentication feature enabled. This vulnerability can be triggered by IPv4 or IPv6 traffic.

        
Affected Products:

This vulnerability affects Cisco Adaptive Security Appliance (ASA) Software that is running on the following Cisco products:

• ASA 5500 Series Adaptive Security Appliances
• ASA 5500-X Series Next-Generation Firewalls
• ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
• ASA 1000V Cloud Firewall
• Adaptive Security Virtual Appliance (ASAv)
• Firepower 4110 Security Appliance
• Firepower 9300 ASA Security Module
• ISA 3000 Industrial Security Appliance

Countermeasures:

Cisco has released free software updates that address the vulnerability.

Further details on software versions, fixes, and detailed descriptions can be obtained from the security advisory:

> https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-asa

SPRECON-V460

A well-known security vendor recently discovered malware capable of affecting power grid operations, confirmed by Dragos as the malware used against Ukraine during late December 2016 power outage. The malware is highly modular supporting several protocols such as IEC 101, IEC 104, IEC 61850, and OPC Data Access (OPC DA). This malware also contains a data wiping component enabling destructive operations against the location machine, similar to the capability used against Ukraine in 2015.

Categorisation
Currently, no further exploits are known. The analysis from Dragos bases on samples from December 2016. It is obvious, that the malware has been extended and further developed in the meanwhile.
Principally, Microsoft Windows based maschines are vulnerable to this malware. Therefore, for Windows-based HMI stations the necessary countermeasures have to be taken into account.

     
        
Countermeasures

• Utilities shall strictly isolate technical (ICS) networks from others (such as e.g. office networks).

• All communication means to access ICS networks (and especially Windows based HMI stations) need to be secured, such as e.g. remote maintenance connections or mobile storage devices.

• HMI stations shall additionally be hardened using e.g. application whitelisting. Additionally, antivirus software might be applied. Be aware, that antivirus software might cause false-positives on functionally relevant machines.

• Electric utility security teams should have a clear understanding of where and how IEC 104 and IEC 61850 protocols are used. An appropriate security monitoring shall be enforced.

• The YARA rules published by Dragos and other indicators of compromise can be leveraged to search for possible infections (IOCs).

• Robust backups of engineering files such as project logic, IED configura­tion files, and ICS application installers should be offline and tested. This will help reduce the impact of the wiper functionality.
  
  
• Prepare incident response plans for this attack and perform table top exer­cises bringing in appropriate stakeholders and personnel across engineer­ing, operations, IT, and security. Further information as well as solution approaches can be obtained from the appropriate CERT warnings as well as the Microsoft website.

> BBC News

> WIN32/Industroyer: A new threat for industrial control systems

> WIN32/Industroyer: Indicators of Compromise

> Siemens Security Advisory by Siemens

 > Dragos World Advisory

 > BSI News

 > Dragons Analyse

SPRECON-V460 Systems

The ransomware WannaCry spreads across the internet since 12.5.2017. WannaCry is a ransomware, hence encrypts a set of defined filetypes on the affected computer's file system. It is highly critical, since it automatically distributes across a company's network infrastructure using several known vulnerabilities in Microsoft Windows.

 
Categorisation  
A high risk results for SPRECON V460 stations, if their network zone is connected to an office network via Windows file sharing (SMB), NETBIOS or RDP.
  

     
        
Solution
Microsoft already closed the respective vulnerabilities in March 2017 via security patches. It is recommended to patch all Windows machines with actual security updates in order to mitigate these vulnerabilities.

Since May, security patches are also available for older Windows versions such as Windows XP or Windows Server 2003.

Further information as well as solution approaches can be obtained from the appropriate CERT warnings as well as the Microsoft website.

>   CERT.at: Ransomware/Wurm WannaCry

>   BSI: Tausende Clouds in Deutschland anfällig für Cyber-Attacken

>   Microsoft: Customer Guidance for WannaCrypt attacks

>   Microsoft: How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges.

An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device.

Affected Products
Catalyst switches,
Embedded Service 2020 switches,
Enhanced Layer 2 EtherSwitch Service Module,
Enhanced Layer 2/3 EtherSwitch Service Module,
Gigabit Ethernet Switch Module (CGESM) for HP,
IE Industrial Ethernet switches,
ME 4924-10GE switch, RF Gateway 10,
SM-X Layer 2/3 EtherSwitch Service Module

Solution
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

CVSS-Score: 9.8

>   Cisco Security Advisory

  CERT-EU Security Advisory 2017-006

Users of IPSec VPN connections with SPRECON-E

Since firmware version 8.41, users are enabled to operate IPSec VPN connections with SPRECON control devices. The configuration therefore is done via the proper Security Editor tool, that offers a user interface for defining IPSec settings. Upon configuration, the users exports the propriertary file ipsec.cfg from this tool. This file can than be imported with the SPRECON Designer in order to integrate it into the process device list (main configuration file) which may then be downloaded to the device.

During IPSec configuration, the authentication of the IPSec pariticipant has to be defined. Depending on the chosen authentication method, either a pre-shared key or certificate may be used which in turn contains a private key. The vendor Sprecher Automation advises all users to maintain the confidentiality of these files, since they contain critical information.

Actually, ipsec.cfg files are equipped with a password-based protection mechanism against manipulation, which has been implemented majorly for protecting users against unauthorized alteration of the files. This is not a strong cryptographical encryption, which ensures confidentiality of those files against potential attacks. In order to support all customers, from SPRECON firmware 8.56 and Security Editor 1.03 a strong encryption will be applied to the ipsec.cfg files, to cryptographically ensure confidentiality and integrity of IPSec configurations.

SPRECON-E-C/-E-P/-E-T3: affected

SPRECON-V460: not affected

Under certain preconditions, it is possible for a non-admin user to execute a telegram simulation.

As prerequisites, a user has to open an online-connection to the device, validly authenticate and authorise as administrator, and execute telegram simulation. The online-connection subsequently has to be closed without closing the program. Faulty caching of client data then may allow a following non-admin user to execute telegram simulation.

In order to exploit this vulnerability, a potential attacker would need to have both a valid engineering-account in the SPRECON RBAC system as well as access to the service/maintenance computer. Additionally, a valid admin-user must have executed telegram simulation, then close the service connection beforehand without closing the program. Hence, there is no risk from external attackers.

Affected Product: SPRECON-E Service Program 3.42 SP0

Limitation: 

This vulnerability is only relevant if using role-based access control (RBAC) on SPRECON. RBAC is available since the following product versions:

• SPRECON-E Designer 5.79 SP0 (Access control needs to be activated, either local or remote (RADIUS) authentication profiles need to be configured)
• SPRECON-E Firmware 8.49d
• SPRECON-E Service Program 3.42 SP0

Solution

Sprecher Automation recommends to update SPRECON-E Service Program to version 3.43 SP0 or higher. An update of the Service Program can be done independently from device firmware and other related products.

Workaround

If it can be ensured that the Service Program is being closed after each usage by a particular user, there is no risk from this vulnerability.

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

Cisco closes several, partially critical, vulnerabilities with a new software update.

CVE-2016-6432 defines a security gap (CVSS score of 9.3) which could allow an unauthenticated remote attacker to cause a reload of the affected system or to remotely execute code. An attacker could exploit this vulnerability by sending a crafted NetBIOS packet in response to a NetBIOS probe sent by the ASA software.

Cisco has released software updates that address this vulnerability. A workaround is to deactivate NetBIOS probing.

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

The latest firmware update for SIPROTEC 4 and SIPROTEC Compact fixes multiple vulnerabilities, which are classified with CVSS-Scores from 7.8 to 10 according to cvedetails.com. The vulnerabilities exist within the EN100 Ethernet module.

The vulnerabilities CVE-2016-7112 and CVE-2016-7114 allow remote attackers to bypass authentication and obtain administrative privileges.

CVE-2016-7113 allows remote attackers to cause a denial of service via HTTP.

An update to the latest firmware is necessary. As a general security measure, Siemens recommends to run devices in protected IT environments.

> Siemens

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

CVE-2016-3962

CVE-2016-3988

CVE-2016-3989

• IMS-LANTIME M3000
• IMS-LANTIME M1000
• IMS-LANTIME M500
• LANTIME M900
• LANTIME M600
• LANTIME M400
• LANTIME M300
• LANTIME M200
• LANTIME M100
• SyncFire 1100
• LCES

CVE-2016-3962 and CVE-2016-3988 are Buffer-Overflow vulnerabilities in the time-server interface that enable remote-attackers to cause “denial-of-service” and allow the capture of sensitive information or manipulation of data.

CVE-2016-3989 causes "Privilege Escalation", where attackers can use the "nobody" user to obtain root privileges.

Vulnerabilities have the criticality scores of 7.3 and respectively 8.1.

Meinberg already released a fixed firmware (Version 6.20.004).

> ICS-CERT

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

A vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and IKE version 2 (v2) code of Cisco ASA Software could allow an unauthenticated remote attacker to cause a reload of the affected system or to execute code.

The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending crafted UDP packets to the affected system. This could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system.

Cisco has released software updates that address the vulnerability.

> Cisco

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

Tenable Network Security detected a “NULL pointer deference” security gap in the CODESYS Runtime Toolkit of 3S-Smart Software Solutions GmbH.

This gap allows an attacker to trigger a “denial of service” by causing the crash of the Runtime Toolkit. All CODESYS Runtime Toolkit versions < 2.4.7.48 are affected.

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

The vulnerability of the widely used real-time embedded operating system VxWorks (versions 5.5 to incl. 6.9.4.1) of Wind River can be identified by Fuzzing.

By using this vulnerability, it is possible to provoke a buffer overflow via the network and then execute any code. Furthermore, the FTP server of the system could be crashed through a specific username and password (demonstrated at the security conference 44CON).

The latest generation – VxWorks version 7 – is not affected.

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

“LogJam” is a security gap in the Diffie-Hellman crypto protocol for encrypted connections of web-, mail-, SSH- and VPN-servers. Due to a weakness of the TLS process (Transport Layer Security), the key size can be reduced to unsecure 512 bit by a man-in-the-middle attack.

That allows to shift the HTTPS connections to the unsecure export mode and to compromise them. Generally, the 512 Bit key size is not used anymore, but some servers still support it for compatibility reasons.

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

“GHOST” is a security gap of the gethostbyname() function (standard C library: Glibc). Under certain circumstances, malware can be executed via malicious DNS-responses.

The gap arose with Glibc 2.2 (11/2000) and has been fixed within version 2.18 (01/2013).

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

3^rd-Party: Microsoft^® Windows^® Server 2003 SP2, Windows^® Vista SP2, Windows^® Server 2008 SP2 and R2 SP1, Windows^® 7 SP1, Windows^® 8, Windows^® 8.1, Windows^® Server 2012 Gold and R2, and Windows^® RT Gold and 8.1

The crypto component "Microsoft^® Secure Channel" is also responsible for encrypted Internet connections. Microsoft^® classified this security gap as critical (MS14-066). Through the Schannel security gap attackers can implant manipulated data packages via prepared websites and take over control of the computer.

• Update Windows^® operating system
• Only run computers with Windows^® operating systems in isolated networks

SPRECON-E-C/-E-P/-E-T3: Webserver

SPRECON-V460: not affected

3^rd-Party: IP camera access via browser (Chrome, Firefox, Internet Explorer,...)

If server and client of a TLS connection also support the previous versions of the protocol (i.e. due to compatibility reasons), attackers may force a backset to the older and vulnerable SSLv3 by a MiM (Man in the Middle) attack. Hence it is possible to disclose the session cookie and to take over the connection.

SSLv3 support (which was necessary due to compatibility reasons) will be terminated along with the next version of the SPRECON webserver.

• Deactivate your webserver (should be standard if not used)
• Deactivate SSLv3 in your web browser