One patched, one to go
The US industrial control system computer emergency response team (ICS-CERT) has warned of twin flaws in substation control software.
The SICAM Power Automation System contains poorly protected credentials (CVE-2016-5848) and information exposure (CVE-2016-5849) found by Russian researchers Ilya Karpov and Dmitry Sklyarov of Positive Technologies.
The CERT warns lowly hackers could exploit the holes but only with pre-existing local access, greatly limiting the exposure.
“An authenticated local user utilising these vulnerabilities could obtain sensitive information under certain conditions,” the CERT warns.
“Impact to individual organisations depends on many factors that are unique to each organisation.”
Siemens warns in an advisory [pdf] that only CVE-2016-5848 has been patched.
“Siemens has released an update for [CVE-2016-5848] and is working on an update for [CVE-2016-5849],” it says.
“In the meantime, Siemens provides detailed instructions on how to mitigate CVE-2016-5849 for existing installations via the Siemens Energy Customer Support Center.”
The company says its SICAM product is used by many in the energy sector and will require updating with admins needing to email the company for patching advice. ®