2 Advisories and 2 Updates Published – 10-20-20

Today the CISA NCCIC-ICS published two control system security advisories for product from Hitachi ABB Power Grids, and Rockwell Automation, and updated an advisory for products from WECON. They also updated a medical device security advisory for products from Capsule Technologies.

Hitachi ABB Advisory

This advisory describes an improper authentication vulnerability in the Hitachi ABB XMC20 Multiservice-Multiplexer. The vulnerability is self-reported. Hitachi ABB has new firmware versions that mitigate the vulnerability.

NOTE: The Hitachi ABB advisory describes this as a third-party vulnerability in Libssh. They also report that exploit code is publicly available for the vulnerability. This vulnerability was reported by Peter Winter-Smith of NCC Group. An article on ZDNet.com notes that this is not the most commonly used ssh library, but we must assume that other vendor products may be affected by this vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to remotely take control of the product.

Rockwell Advisory

This advisory describes three classic buffer overflow vulnerabilities in the Rockwell 1794-AENT Flex I/O Series B ethernet/IP adapters. The vulnerabilities were reported (here, here and here) by Jared Rittle of Cisco Talos. Rockwell provides generic workarounds for these vulnerabilities.

NOTE: The Cisco Talos reports contain proof-of-concept exploit code for the vulnerabilities.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to crash the device being accessed, resulting in a buffer overflow condition that may allow remote code execution.

NOTE: I briefly reported on these vulnerabilities last Saturday.

WECON Update

This update provides additional information on an advisory that was originally published on August 25, 2020. The new information includes:

• Adding ‘improper restriction of xml external entity reference’ as a new vulnerability,

• Adding ‘and obtain sensitive information’ to the risk evaluation, and

• Adding ‘Mehmet D. INCE @mdisec from T0.Group’ as a reporting researcher.

Capsule Technologies Update

This update provides additional information on an advisory that was originally published on July 14^th, 2020. The new information includes updated affected version information and links to mitigation measures.

Public ICS Disclosures – Week of 10-10-20 – Part II

We have four new vendor notifications from Schneider. We also have nine vendor updates from Schneider (6) and Siemens (3).

Schneider Advisories

Schneider published an advisory describing a credentials management vulnerability in their Modicon Ethernet Programmable Automation products. The vulnerability was reported by Yang Dong  of DingXiang Dongjian Security Lab. Schneider has new firmware versions that mitigate the vulnerabilities. There is no indication that Yang has been provided an opportunity to verify the efficacy of the fix.

Schneider published an advisory describing an insufficiently random values vulnerability in their Smartlink, PowerTag, and Wiser series gateways. The vulnerability is self-reported. Schneider has new firmware versions that mitigate the vulnerability.

Schneider has published an advisory describing three vulnerabilities in their EcoStruxure™ and SmartStruxure™ Power Monitoring & SCADA Software. The vulnerabilities were reported by Michiel Evers and Niels Pirotte. Schneider has new products and upgrades that mitigate the vulnerabilities in some of the affected systems. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Improper access control (2) - CVE-2020-7545 and CVE-2020-7547, and

• Improper neutralization of input during web page generation - CVE-2020-7546

Schneider published an advisory for the Microsoft® Netlogon vulnerability. Schneider has not yet determined how the MS patch would affect their systems.

Schneider Updates

Schneider published an update for their Ripple20 advisory that was  originally published on June 23, 2020 and most recently updated on September 1^st, 2020. The new information includes adding remediation guidance for:

• VW3A3310 Altivar 61/71 Modbus TCP,

• VW3A3310D Altivar 61/71 Ethernet daisy chain,

• VW3A3316 Altivar 61/71 Ethernet IP, and

• VW3A3320 Altivar 61/71 Ethernet IP RSTP

Schneider published an update for their Urgent/11 advisory that was  originally published on August 2^nd, 2019 and most recently updated on June 9^th, 2020. The new information includes providing updated remediations for:

• Modicon LMC078 Controller,

• Modicon M580 Ethernet communications Modules,

• Modicon M580 IEC 61850 - BMENOP0300 (C),

• Modicon MC80 Programmable Logic Controller,

• Modicon Quantum 140 NOP Communications Module,

• PacDrive 3 Eco/Pro/Pro2 Motion Controllers,

• Pro-face HMI -GP4000H/R/E Series, GP4100 Compact Series, LT4000M Modular Series

Schneider published an update for the advisory on their Modbus Serial Driver that was originally published on August 11^th, 2020. The new information includes adding a remediation note for EcoStruxure Machine Expert Basic.

Schneider published an update for the advisory on their Modicon Controllers that was originally published on May 14^th, 2019 and most recently updated on August 11^th, 2020. The new information includes additional remediation steps for M580 and M340.

Schneider published an update for the advisory on their SCADAPack products that was originally published on September 8^th, 2020. The new information includes correcting the fix version of RemoteConnect from V2.3.2 to V2.4.2 package.

Schneider published an update for the advisory on their Modicaon Controllers that was originally published on March 16^th, 2017. The new information includes updates in the following sections (a fairly major rewrite):

• Products affected,

• Vulnerability details,

• Remediation, and

• Acknowledgement

NOTE: This advisory was one of three that were included in the ICS-CERT advisory, ICSA-17-089-02. NCCIC-ICS should probably update that advisory.

Siemens Updates

Siemens published an update for their Intel CPU advisory that was originally published on February 11^th, 2020 and most recently updated on July 14^th, 2020. The new information includes updated solutions for:

• SIMATIC IPC427E,

• SIMATIC IPC477E, and

• SIMATIC IPC477E Pro

Siemens published an update for their GNU/Linux advisory that was originally published in 2018 and most recently updated on September 8^th, 2020. The new information includes adding:

• CVE-2019-19037,

• CVE-2020-10732,

• CVE-2020-14145,

• CVE-2020-14381,

• CVE-2020-1968,

• CVE-2020-24394,

• CVE-2020-25212, and

• CVE-2020-25220

Siemens published an update for their CodeMeter advisory that was originally published on September 8^th, 2020. The new information includes:

• Adding PSS CAPE Protection Simulation Platform to the list of affected product,

• Adding solution by software update for SIMATIC WinCC OA,

• Adding solution by installation of latest CodeMeter Runtime version for SIMIT, SINEC INS, and PSS CAPE

NOTE: The original Siemens advisory was included in the initial list of covered vendors in ICSA-20-203-01. NCCIC-ICS would not be expected to specifically note this updated advisory since the link provide would go to the updated version on the Siemens web site.

Public ICS Disclosures – Week of 10-10-20 – Part 1

This week we have seven vendor disclosures from Eaton, HMS, Bender, Sprecher, Bosch, Rockwell, and Carestream. There are also three vendor updates from ABB and Eaton (2). We also have an exploit that was published for products from BACnet Interoperability Test Services, Inc.

Eaton Advisory

Eaton published an advisory for the CodeMeter vulnerabilities in their Xsoft-CODESYS programming software.

NOTE: This is the first CodeMeter advisory that is specifically tied to the 4th party CODESYS implmenetation of the Wibu-Systems code that I have seen.

HMS Advisory

HMS published an advisory for the Ripple20 [corrected link, 10-18-20 0846 EDT] vulnerabilities, reporting that none of their products are affected.

NOTE: The advisory indicates that HMS employed a third-party research firm to help them assess the potential exposure to these vulnerabilities.

Bender Advisory

Bender published an advisory describing an improper authentication vulnerability in their COMTRAXX products. The vulnerability was reported by Maxim Rupp. Bender has a new software version that mitigates the vulnerability. There is no indication that Maxim has been provided an opportunity to verify the efficacy of the fix.

Sprecher Advisory

Sprecher published an advisory describing an input validation vulnerability in their SPRECON-E engineering tools. The vulnerability was reported by Gregor Bonney of CyberRange-e at Innogy. Sprecher has a firmware update that mitigates the vulnerability. There is no indication that Bonney has been provided an opportunity to verify the efficacy of the fix.

Bosch Advisory

Bosch published an advisory describing the Microsoft® remote desktop services vulnerability in their Rexroth industrial PCs.

Rockwell Advisory

Rockwell published an advisory describing five buffer overflow vulnerabilities in their 1794-AENT Flex I/O products. The vulnerabilities were reported (here, here and here) by Jared Rittle of Cisco Talos. Rockwell provides generic workarounds to mitigate these vulnerabilities.

NOTE: The Cisco Talos reports provide proof-of-concept code for the vulnerabilities.

Carestream Advisory

Carestream published an advisory [.PDF download link] describing the Microsoft Bad Neighbor vulnerability. Carestream is looking into the potential effects of this vulnerability on their products.

ABB Update

ABB published an update of their CodeMeter advisory for their Automation Builder products that was originally published on September 17^th, 2020. ABB reports that CVE-2020-14517 has not been closed in the latest version of the Wibu-Systems CodeMeter (v.7.10a). That version has been integrated into the latest version of Automation Builder.

Eaton Updates

Eaton published an update for their Ripple20 [Corrected link, 10-18-20, 0851 EDT] advisory that was originally published on June 23^rd, 2020 and most recently updated on July 24^th, 2020. The new information includes updated mitigation information for Form 4D.

Eaton published an update for their Triangle MicroWorks DNP3 Outstation Libraries vulnerability advisory that was originally published on April 22^nd, 2020 and most recently updated on August 6^th, 2020. Eaton has updated their affected product list and mitigation measures.

NOTE: The NCCIC-ICS advisory was never updated to provide links to vendors reporting these library vulnerabilities in their products.

BACnet Exploit

Zero Science Lab published an exploit for a remote denial of service vulnerability in the BACnet Test Server from BACnet Interoperability Test Services, Inc. There is no report of a coordinated disclosure or CVE # for this vulnerability so it looks like it may be a 0-day exploit.

More to Come

Part II of this post will include Schneider and Siemens advisories and updates.

2 Advisories and 1 Update Published – 10-15-20

Today the CISA NCCIC-ICS published two control system security advisories for products from Advantech and updated one advisory for products from Wibu-Systems.

R-SeeNet Advisory

This advisory describes an SQL injection vulnerability in the Advantech  R-SeeNet monitoring application. The vulnerability was reported by rgod via the Zero Day Initiative (ZDI). Advantech has a new version that mitigates the vulnerability. There is no indication that rgod has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reported that a relatively low-skilled attacker could remotely exploit this vulnerability to allow remote attackers to retrieve sensitive information from the R-SeeNet database.

NOTE: NCCIC-ICS provides a link to the Advantech advisory for this vulnerability. This is the first time that I have seen an advisory published by Advantech (actually, Advantech Czech s.r.o.) and they also have a security notifications web page which apparently only covers their cellular routers and gateways. Interestingly, they make Common Vulnerability Reporting Framework (CVRF) v1.1 files on identified vulnerabilities available to their customers.

WebAccess Advisory

This advisory describes an external control of file name or path vulnerability in the Advantech WebAccess/SCADA software package. The vulnerability was reported by Sivathmican Sivakumaran via ZDI. Advantech has newer versions that mitigate the vulnerability. There is no indication that Sivakumaran has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to control or influence a path used in an operation on the filesystem and remotely execute code as an administrator.

NOTE: This vulnerability was not reported on the web site I discussed for the earlier vulnerability, nor was there an Advantech advisory available.

CodeMeter Update

This update provides additional information on an advisory that  was originally published on September 8^th, 2020 and most recently updated on October 1^st, 2020 (the advisory incorrectly refers back to an earlier version from September 17th). The new information includes links to two new vendor advisories from Schneider and WEIDMUELLER.

4 Updates Published – 10-13-20

Yesterday the CISA NCCIC-ICS updated four control system security advisories for products from Siemens.

SCALANCE Update

This update provides additional information on an advisory that was originally published on November 28th, 2017 and most recently updated on May 10^th, 2018. The new information includes:

• Added RUGGEDCOM RM1224 to the list of affected products,

• Updated remediation link for SCALANCE W1750D,

• Updated CVSS scores, and

• Added CWE IDs.

Industrial Products Update #1

This update provides additional information on an advisory that was originally published on September 10^th, 2019 and most recently updated on September 8^th, 2020. The new information includes mitigation links for SIMATIC MV500 and SCALANCE W1750D.

Industrial Products Update #2

This update provides additional information on an advisory that was originally published on September 8^th, 2020. The new information includes:

• Removing the following from the list of affected products:

◦ SINUMERIK 840D sl (NCU730.3B),

◦ SINUMERIK 828D (PPU.4 /PPU1740), and

◦ SINUMERIK ONE (NCU1750 / NCU1760).

• Adding mitigation measures for:

◦ SIMATIC IPC627E,

◦ SIMATIC IPC647E,

◦ SIMATIC IPC677E, and

◦ SIMATIC IPC847E

SIMATIC Update

This update provides additional information on an advisory that was originally published on September 8^th, 2020. The new information includes adding SIMATIC WinAC RTX (F) 2010 and SINUMERIK 840D sl to the list of affected products.

Other Siemens Updates

Yesterday Siemens published updates for three additional advisories. If, not covered by NCCIC-ICS before then (and I do not expect that they will) I will discuss them this weekend.

ISCD Updates 2 FAQ Responses – 10-13-20

Yesterday the CISA Infrastructure Security Compliance Division (ISCD) updated the responses to two frequently asked questions (FAQs) on the Chemical Facility Anti-Terrorism Standards (CFATS) Knowledge Center web page.

The following FAQ responses were revised:

FAQ #1770 How will the Cybersecurity and Infrastructure Security Agency (CISA) protect the data it collects? Can Chemical-terrorism Vulnerability Information (CVI) be released under the Freedom of Information Act (FOIA)?

FAQ #1784 Does a facility have to count theft/diversion chemicals of interest (COI) in transportation packaging towards the screening threshold quantity (STQ) if the COI is on or attached to motive power, to include an overnight stay?

NOTE: The links provided for the FAQs in this post were copied from the CFATS Knowledge Center but may not work when followed from your machine. This is an artifact of that web site. If the links do not take you to the referenced FAQ you will have to use the ‘Advanced Search’ function on the page to link to the FAQ or download the ‘All FAQs’ document at the bottom of the ‘Advanced Search’ page.

The following changes were made in the referenced responses:

#1770 Complete rewrite of FAQ and response, but no change in policy or procedure.

#1784 Provides links to regulation and Federal Register cites.

For reference purposes, here is what the language of FAQ 1770 and its response read before yesterday’s changes:

Question: Can Chemical-terrorism Vulnerability Information (CVI) be released under the Freedom of Information Act (FOIA)? 

Answer: No. Notwithstanding the Freedom of Information Act or FOIA (5 U.S.C. 552), the Privacy Act (5 U.S.C.552a), and other laws, in accordance with the Homeland Security Act as amended by the Protecting and Securing Chemical Facilities from Terrorist Attacks Act of 2014, Public Law 113-254, and 6 C.F.R. § 27.400(g), records containing CVI are not available for public inspection or copying, and the Department does not release such records to persons without a need to know.

Further, as provided in 6 C.F.R. § 27.405, no law, regulation, or administrative action of a State or political subdivision thereof shall have any effect if such law or regulation conflicts with the Chemical Facility Anti-Terrorism Standards (CFATS). Requests for CVI under State or local FOIA or open records laws should be referred to the DHS National Protection and Programs Directorate (NPPD) Information Management and Disclosure Office, NPPD.FOIA@hq.dhs.gov.

If a record contains both information that may not be disclosed under Public Law 113-254 and information that may be disclosed, the latter information may be provided in response to a FOIA request, provided that the record is not otherwise exempt from disclosure under FOIA and that it is practical to redact the protected CVI from the requested record.

Note: Please refer to the “Safeguarding Information Designated as Chemical-terrorism Vulnerability Information (CVI) Handbook” for more information. The Handbook is available at https://www.dhs.gov/publication/safeguardinginformation-cvi-manual.

6 Advisories Published – 10-13-20

Today the CISA NCCIC-ICS published six control system security advisories for products from Siemens (2), Fieldcomm Group, Flexera, LCDS, and Moxa.

SIPORT Advisory

This advisory describes a use of client-side authentication vulnerability in the Siemens SIPORT MP access control system. The vulnerability is self-reported. Siemens has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an authenticated attacker to impersonate other users of the system and perform (potentially administrative) actions on behalf of those users if the single sign-on feature (“Allow logon without password”) is enabled.

Desigo Advisory

This advisory describes three vulnerabilities in the Siemens Desigo Insight product. The vulnerabilities were reported by Davide De Rubeis, Damiano Proietti, Matteo Brutti, Stefano Scipioni, and Massimiliano Brolli from TIM Security Red Team Research. Siemens has a ‘hotfix’ available to mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• SQL injection - CVE-2020-15792,

• Improper restriction of rendered UI layers or frames - CVE-2020-15793, and

• Exposure of sensitive information to an unauthorized actor - CVE-2020-15794

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to retrieve or modify data and gain access to sensitive information.

Fieldcomm Group Advisory

This advisory describes a stack-based buffer overflow vulnerability in the Fieldcom HARP-IP Developer kit. The vulnerability was reported by Reid Wightman from Dragos, Inc. Fieldcomm has a new version for one of the affected products that mitigates the vulnerability. There is no indication that Wightman has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to  crash the device being accessed; a buffer overflow condition may allow remote code execution.

Flexera Advisory

This advisory describes an untrusted search path vulnerability in the Flexera InstallShield product. The vulnerability was reported by an anonymous researcher. Flexera will only provide mitigation measures and work arounds to registered owners.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow execution of a malicious DLL.

NOTE: This vulnerability was reported by Flexera in 2016, so why is NCCIC-ICS reporting this now? Both IBM (Tivoli Storage Manager) and Tenable (Nessus Network Monitor) have issued advisories covering this as a third-party vulnerability in 2016 and 2019 respectively. I suspect that there are other vendors that also use InstallShield that may be unaware of the vulnerability or may not have addressed it.

LCDS Advisory

This advisory describes an out-of-bounds read vulnerability in the LCDS LAquis SCADA. The vulnerability was reported by an anonymous researcher via the Zero Day Initiative. LCDS has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to allow an attacker to execute code under the privileges of the application.

Moxa Advisory

This advisory describes six vulnerabilities in the Moxa NPort IAW5000A-I/O Series integrated serial device server. The vulnerabilities were reported by Evgeniy Druzhinin and Ilya Karpov of Rostelecom-Solar. Moxa has an updated firmware version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Session fixation - CVE-2020-25198,

• Improper privilege management - CVE-2020-25194,

Weak password requirements - CVE-2020-25153,

• Cleartext transmission of sensitive information - CVE-2020-25190,

• Improper restriction of excessive authorization attempts - CVE-2020-25196, and

• Exposure of sensitive information to unauthorized actor - CVE-2020-25192

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to gain access to and hijack a session; allow an attacker with user privileges to perform requests with administrative privileges; allow the use of weak passwords; allow credentials of third-party services to be transmitted in cleartext; allow the use of brute force to bypass authentication on an SSH/Telnet session; or allow access to sensitive information without proper authorization.

NOTE: I briefly described these vulnerabilities back in August. Moxa has updated their advisory to list the CVE numbers assigned by NCCIC-ICS.

Siemens Updates

NCCIC-ICS also published four Siemens updates today. I will cover them in a post tomorrow.