Yesterday the DHS NCCIC-ICS published seven control system
security advisories for products from ABB (3), Advantech, 3S and Siemens. They
also published an update of a previously issued advisory for products from
Schneider.
M2M Ethernet Advisory
This
advisory
describes an improper authentication vulnerability in the ABB M2M ETHERNET,
network analyzer. It was reported by Maxim Rupp. ABB has provided generic
workarounds for this vulnerability. There is no indication that Rupp has been
provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker on
an adjacent network could exploit the vulnerability to upload a malicious
language file.
CMS-770 Advisory
This
advisory
describes an improper authentication vulnerability in the ABB CMS-770. This
vulnerability was reported by Maxim Rupp. ABB has provided generic workarounds
to mitigate the vulnerability. There is no indication that Rupp has been
provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS has reported that a relatively low-skilled
attacker on an adjacent network could exploit the vulnerability to read
sensitive configuration files that may lead to code execution on the device.
Siemens Advisory
This
advisory
describes a missing authentication for critical function vulnerability in the
Siemens TIM 1531 IRC. Siemens is self-reporting this vulnerability. Siemens has
a firmware update to mitigate the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to perform arbitrary administrative
operations.
NOTE: I
briefly
discussed the
Siemens
advisory and first update for this vulnerability last Saturday. The first
update noted that the originally provided firmware update had been withdrawn
and left just a workaround available to mitigate the vulnerability. This NCCIC-ICS
advisory is based upon the second Siemens update of their advisory.
CODESYS V3 Advisory 1
This
advisory
describes two vulnerabilities in the S3 CODESYS V3 products. The
vulnerabilities were reported by Alexander Nochvay from Kaspersky Lab. S3 has a
new version that mitigates the vulnerabilities. There is no indication that Nochvay
has been provided an opportunity to verify the efficacy of the fix.
The two reported vulnerabilities are:
• Use of insufficiently random values - CVE-2018-20025;
and
• Improper restrictions of communication channel to
intended endpoint - CVE-2018-20026
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit this vulnerability to allow a remote attacker to disguise the source
of malicious communication packets and also exploit a random values weakness
affecting confidentiality and integrity of data stored on the device.
NOTE: There are two S3 advisories that support this
NCCIC-ICS advisory (
here
and
here).
CODESYS V3 Advisory 2
This
advisory
describes an improper access control vulnerability in the S3 CODESYS Control V3
products. The vulnerability was reported by Yury Serdyuk of Kaspersky Lab. S3
has a new version and recommends activating the CODESYS Control online user
management and encryption of the online communication. There is no indication
that Serdyuk has been provided an opportunity to verify the efficacy of the
fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to allow unauthorized access and
exfiltration of sensitive data including user credentials.
NOTE: S3 published five other advisories last week when they
published the three supporting these two NCCIC-ICS advisories. Interestingly,
none of the others have CVE numbers. More on these on Saturday.
Advantech Advisory
This
advisory
describes an improper input validation vulnerability in the AdvantechWebAccess/SCADA
product. The vulnerability was reported by Jacob Baines of Tenable Network
Security. Advantech has a new version that mitigates the vulnerability. There
is no indication that Baines has been provided an opportunity to verify the
efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit this vulnerability to allow an attacker to cause the
overflow of a buffer on the stack.
Gate E-2 Advisory
This
advisory
describes two vulnerabilities in the ABB GATE-E2 Pluto ethernet gateway. The vulnerabilities
were reported by Nelson Berg of Applied Risk. ABB is only providing generic workarounds
as this product is no longer supported. There is no indication that Berg has
been provided an opportunity to verify the efficacy of the fix.
The two reported vulnerabilities are:
• Missing authentication of a
critical function - CVE-2018-18995; and
• Cross-site scripting - CVE-2018-18997
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to allow unrestricted access to
the administrative telnet/web interface of the device, enabling attackers to
compromise the availability of the device, read or modify registers and
settings, or change the device configuration.
NOTE: I
briefly
discussed the two ABB advisories supporting this NCCIC-ICS advisory last
Saturday.
Schneider Update
• Announcement of a new version
that further mitigates the HatMan vulnerabilities;
• The announcement that as of February
19th, 2019, “Schneider Electric will require customers to have a
support contract in place to engage with the HatMan malware detection service.”