ICS Disclosures – Week of 10-13-18

This week we have a vendor disclosure from PEPPERL+FUCHS via CERT-VDE. There were also a significant number of exploits published this week for a variety of IP cameras.

PEPPERL+FUCHS Advisory

This advisory describes an Android privilege escalation vulnerability in the PEPPERL+FUCHS CT50-Ex hand-held computer for hazardous environments {NOTE: This is apparently the PEPPERL+FUCHS (ecom) rebrand of the Honeywell Dolphin CT50 -Ex}. The vulnerability was self-reported by PEPPERL+FUCHS. There is an update available to mitigate the vulnerability.

NOTE: This vulnerability was reported by Honeywell and covered by NCCIC-ICS in ICSA-18-256-01 back in September.

I wonder what other 2^nd tier vendors have rebranded this vulnerable Honeywell product without informing their customers about the Honeywell advisory.

IP Camera Exploits

Gjoko Krstic (LiquidWorm) released exploit code for three IP cameras along with advisories on the seven vulnerabilities via Zero Science Labs. For the first six vulnerabilities (for products from FLIR Systems) listed below, the disclosures were coordinated with the vendor. The TP-Link advisory does not contain any vendor coordination information so that may be a zero vulnerability.

• FLIR AX8 Thermal Camera 1.32.16 - Arbitrary File Disclosure;

• FLIR Brickstream 3D+ 2.1.742.1842 - Config File Disclosure;

• FLIR AX8 Thermal Camera 1.32.16 - Remote Code Execution;

• FLIR AX8 Thermal Camera 1.32.16 - RTSP Stream Disclosure;

• FLIR Brickstream 3D+ - RTSP Stream Disclosure;

• FLIR AX8 Thermal Camera 1.32.16 - Hard-Coded Credentials; and

• TP-Link TL-SC3130 1.6.18 - RTSP Stream Disclosure