Public ICS Disclosures – Week of 04-21-18

This week we have three vendor disclosures from Schneider Electric and one researcher report for cloud services from Hikvision.

Wiser for KNX Advisory

This advisory describes an FTP access vulnerability in the Schneider Wise for KNX logic controller. The vulnerability was reported by Jokin Guevara. Schneider has an update that mitigates the vulnerability. There is no indication that Guevara has been provided an opportunity to verify the efficacy of the fix.

Schneider reports that an uncharacterized attacker could remotely exploit the vulnerability to gain unauthorized access.

EVlink Charging Station Advisory 

This advisory describes a cookie modification privilege escalation in the Schneider EVlink charging station. This vulnerability was reported by Joakim B. Hellum. Schneider has an update that mitigates the vulnerability. There is no indication that Hellum has been provided an opportunity to verify the efficacy of the fix.

Schneider reports that an uncharacterized attacker could remotely exploit the vulnerability to gain administrative privileges without properly authenticating remote users.

Pelco Sarix Professional Advisory 

This advisory describes three vulnerabilities in the Schneider Pelco Sarix Professional IP cameras. The vulnerabilities were reported by Weapon x, Giri Veeraraghavan Veda, and Gulf Business Machines. Schneider has an update available that mitigates the vulnerabilities. There is no indication that any of the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Buffer overflow - CVE-2018-7780;

• Authenticated password disclosure and privilege escalation - CVE-2018-7781; and

• Authenticated password disclosure - CVE-2018-7782

Hikvision Advisory

This advisory describes an authentication vulnerability in the Hikvision hik-connect.com and ezvizlife.com cloud services. The vulnerability was reported by Vangelis Stykas and the hack process reported in depth here (Medium.com registration required). Hikvision has a fix available, but there is no indication that Stykas has been provided an opportunity to verify the fix.