Home page logo
/

isn logo Information Security News mailing list archives

Zero-Day Flaws Found, Patched In Siemens Switches
From: InfoSec News <alerts () infosecnews org>
Date: Fri, 10 Jan 2014 11:31:58 +0000 (UTC)

http://www.darkreading.com/vulnerability/zero-day-flaws-found-patched-in-siemens/240165252

By Kelly Jackson Higgins
Dark Reading
January 09, 2014

A security researcher has discovered a pair of zero-day vulnerabilities in a popular family of Siemens industrial control system switches that could allow an attacker to take over the network devices without a password.

Eireann Leverett, senior security consultant for IOActive, next week at the S4 ICS/SCADA conference in Miami will release his proof-of-concept code for users of the SCALANCE X-200 Switch family to test the flaws in their industrial control systems (ICS) environments. The researcher found the bugs a few months ago and reported them to Siemens, which last fall issued patches for the flaws -- within three months of being notified.

Whether ICS/SCADA customers will actually apply the patches or just how quickly they will do so is the big question. The aftermath of Stuxnet has pressured some major ICS vendors like Siemens to regularly respond to vulnerability discoveries in their products with patches and updates to their software. But their customers -- utilities and other process control operators -- don't routinely apply those patches. Overall, only 10 to 20 percent of organizations do so, mainly because they face the risk of a power or plant operation disruption caused by a newly patched system.

Leverett says releasing his PoC code is all about giving Siemens customers a chance to test what the newly discovered vulnerabilities could do. Many vulnerability and patch reports don't include enough specifics about the potential implications of the flaws, he says. "My personal goal is to make sure asset owners have a chance to say, 'How bad is it? What can I do with it?''

[...]



--
Subscribe to InfoSec News
http://www.infosecnews.org/subscribe-to-infosec-news/


  By Date           By Thread  

Current thread:
  • Zero-Day Flaws Found, Patched In Siemens Switches InfoSec News (Jan 10)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]