ICS-CERT Publishes 3 Advisories and 1 Update

Today the DHS ICS-CERT published three new control system security advisories for products from PEPPERL+FUCHS, WAGO and ABB. They also updated a previously published advisory for products from Rockwell.

PEPPERL+FUCHS Advisory

This advisory describes an improper authentication vulnerability in the PEPPERL+FUCHS VisuNet RM, VisuNet PC, Box Thin Client (BTC) families of products. The vulnerability was reported by Eyal Karni, Yaron Zinar, and Roman Blachman with Preempt Research Labs. PEPPERL+FUCHS has firmware updates for HMI running RM Shell 4 or RM Shell 5. For HMI running on Windows 7 or Windows 10 platforms the recommendation is to run the applicable Windows update for CVE-2018-0866. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

ICS-CERT reports that an uncharacterized attacker with uncharacterized access could exploit this vulnerability to intercept sensitive communications, establish a man-in-the-middle attack, achieve administrator privileges, and execute remote code.

NOTE: I initially reported on this vulnerability on July 7^th, 2018.

WAGO Advisory

This advisory describes three vulnerabilities in the WAGO e!DISPLAY Web-Based-Management. These vulnerabilities were reported by T. Weber of SEC Consult. The latest firmware version mitigates the vulnerabilities. There is no indication that Weber has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Cross-site scripting - CVE-2018-12981;

• Unrestricted upload of file with dangerous type - CVE-2018-12980; and

• Incorrect permission for critical resource - CVE-2018-12979

ICS-CERT reports that a relatively low-skilled attacker could use publicly available exploits to remotely exploit the vulnerabilities to execute code in the context of the user, execute code within the user’s browser, place malicious files within the filesystem, and replace existing files to allow privilege escalation.

NOTE: I initially reported on these vulnerabilities on July 14^th, 2018.

ABB Advisory

This advisory describes an improper input validation vulnerability in the ABB Panel Builder 800. The vulnerability was reported by Michael DePlante of Leahy Center and Michael Flanders of Trend Micro vis the Zero Day Initiative. ABB has provided work arounds pending further investigation of the vulnerabilities.

ICS-CERT reports that an uncharacterized attacker with uncharacterized access could conduct a social engineering attack to exploit this vulnerability to insert and run arbitrary code.

NOTE: I initially reported on these vulnerabilities on July 7^th, 2018.

Rockwell Update

This update provides new information on an advisory that was originally published on June 21^st 2018. The new information is an expansion of the affected versions for all affected products.