7 Advisories and One Update Published - 12-18-18

Yesterday the DHS NCCIC-ICS published seven control system security advisories for products from ABB (3), Advantech, 3S and Siemens. They also published an update of a previously issued advisory for products from Schneider.

M2M Ethernet Advisory

This advisory describes an improper authentication vulnerability in the ABB M2M ETHERNET, network analyzer. It was reported by Maxim Rupp. ABB has provided generic workarounds for this vulnerability. There is no indication that Rupp has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker on an adjacent network could exploit the vulnerability to upload a malicious language file.

NOTE: I briefly discussed the ABB advisory for this vulnerability in early November.

CMS-770 Advisory

This advisory describes an improper authentication vulnerability in the ABB CMS-770. This vulnerability was reported by Maxim Rupp. ABB has provided generic workarounds to mitigate the vulnerability. There is no indication that Rupp has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS has reported that a relatively low-skilled attacker on an adjacent network could exploit the vulnerability to read sensitive configuration files that may lead to code execution on the device.

NOTE: I briefly discussed the ABB advisory for this vulnerability in early November.

Siemens Advisory

This advisory describes a missing authentication for critical function vulnerability in the Siemens TIM 1531 IRC. Siemens is self-reporting this vulnerability. Siemens has a firmware update to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to perform arbitrary administrative operations.

NOTE: I briefly discussed the Siemens advisory and first update for this vulnerability last Saturday. The first update noted that the originally provided firmware update had been withdrawn and left just a workaround available to mitigate the vulnerability. This NCCIC-ICS advisory is based upon the second Siemens update of their advisory.

CODESYS V3 Advisory 1

This advisory describes two vulnerabilities in the S3 CODESYS V3 products. The vulnerabilities were reported by Alexander Nochvay from Kaspersky Lab. S3 has a new version that mitigates the vulnerabilities. There is no indication that Nochvay has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Use of insufficiently random values - CVE-2018-20025; and

• Improper restrictions of communication channel to intended endpoint - CVE-2018-20026

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to  allow a remote attacker to disguise the source of malicious communication packets and also exploit a random values weakness affecting confidentiality and integrity of data stored on the device.

NOTE: There are two S3 advisories that support this NCCIC-ICS advisory (here and here).

CODESYS V3 Advisory 2

This advisory describes an improper access control vulnerability in the S3 CODESYS Control V3 products. The vulnerability was reported by Yury Serdyuk of Kaspersky Lab. S3 has a new version and recommends activating the CODESYS Control online user management and encryption of the online communication. There is no indication that Serdyuk has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow unauthorized access and exfiltration of sensitive data including user credentials.

NOTE: S3 published five other advisories last week when they published the three supporting these two NCCIC-ICS advisories. Interestingly, none of the others have CVE numbers. More on these on Saturday.

Advantech Advisory

This advisory describes an improper input validation vulnerability in the AdvantechWebAccess/SCADA product. The vulnerability was reported by Jacob Baines of Tenable Network Security. Advantech has a new version that mitigates the vulnerability. There is no indication that Baines has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to cause the overflow of a buffer on the stack.

Gate E-2 Advisory

This advisory describes two vulnerabilities in the ABB GATE-E2 Pluto ethernet gateway. The vulnerabilities were reported by Nelson Berg of Applied Risk. ABB is only providing generic workarounds as this product is no longer supported. There is no indication that Berg has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Missing authentication of a critical function - CVE-2018-18995; and

• Cross-site scripting - CVE-2018-18997

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow unrestricted access to the administrative telnet/web interface of the device, enabling attackers to compromise the availability of the device, read or modify registers and settings, or change the device configuration.

NOTE: I briefly discussed the two ABB advisories supporting this NCCIC-ICS advisory last Saturday.

Schneider Update

This update provides additional information on an advisory that was originally published on April 17^th, 2018, and updated on May 3^rd, 2018. The new information included in the update includes:

• Links to a rewritten Schneider advisory;

• Announcement of a new version that further mitigates the HatMan vulnerabilities;

• The announcement that as of February 19^th, 2019, “Schneider Electric will require customers to have a support contract in place to engage with the HatMan malware detection service.”