Three Advisories Published

Yesterday the DHS NCCIC-ICS published three control system security advisories for products from Telecrane, GAIN Electronics and Advantech.

Telecrane Advisory

This advisory describes an authentication bypass by capture-replay vulnerability in the Telecrane F25 Series remote control. The vulnerability was reported by Jonathan Andersson, Philippe Z Lin, Akira Urano, Marco Balduzzi, Federico Maggi, Stephen Hilt, and Rainer Vosseler via the Zero Day Intiative. Telecrane has a new firmware version that mitigates the vulnerability. There is no indication that any of the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to view commands, replay commands, control the device, or stop the device from running.

GAIN Advisory

This advisory describes three vulnerabilities in the Gain SAGA1-L series remote control. The vulnerability was reported by Marco Balduzzi, Philippe Z Lin, Federico Maggi, Jonathan Andersson, Urano Akira, Stephen Hilt, and Rainer Vosseler via ZDI. GAIN has a new firmware version that mitigates the vulnerability. There is no indication that any of the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Authentication bypass by capture replay - CVE-2018-17903;

• Improper access control - CVE-2018-20783; and

• Improper authentication - CVE-2018-17923

NCCIC-ICS reports that a relatively low-skilled attacker with access to an adjacent network could exploit the vulnerability to allow remote code execution and potentially delete the product’s firmware.

NOTE: It is interesting that these researchers have found similar capture and replay vulnerabilities in two different industrial remote control systems. As these wireless systems become more common will we continue to see this type of vulnerability?

Advantech Advisory

This advisory describes four vulnerabilities in the Advantech WebAccess application. The vulnerabilities were reported by Matt Powell via ZDI. Advantech has a new version available that mitigates the vulnerability. There is no indication that Powell has been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2018-14816;

• External control of filename or path - CVE-2018-14820;

• Improper privilege management - CVE-2018-14828; and

• Path traversal - CVE-2018-14806

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to execute arbitrary code, access files and perform actions at a privileged level, or delete files on the system.