Public ICS Disclosure – Week of 11-24-18

This week we have three vendor disclosures from Schneider Electric, ABB and Siemens, exploit code for a previously disclosed vulnerability and a disclosure from a researcher which is probably been coordinated with Moxa. And there is a special non-disclosure disclosure at the end of the post.

Schneider Advisory

This advisory describes five vulnerabilities in the Schneider Embedded Web Servers for Modicon V1.1 PLC’s. The vulnerabilities were reported by Tenable. Schneider has provided generic fixes to mitigate the vulnerability. There is no indication that Tenable has been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• Unverified password change (2) - CVE-2018-7811 and CVE-2018-7809;

• Cross-site scripting - CVE-2018-7810;

• Basic XSS - CVE-2018-7831; and

• HTTP response splitting - CVE-2018-7830

ABB Advisory

This advisory describes an improper input validation vulnerability in the ABB CP400 Panel Builder TextEditor 2.0. The vulnerability was reported by Ivan Sanchez from Nullcode Team. ABB has an updated version of the affected products to mitigate the vulnerability. ABB reports that Sanchez has verified the efficacy of the fix.

Siemens Advisory

This advisory describes 21 vulnerabilities in GNU/Linux subsystem of

the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP. The vulnerabilities were reported by an unidentified ‘external source’. Siemens reports that the vulnerabilities will be corrected in the next firmware version and currently provides generic mitigation advice.

The advisory provides links to 21 CVE’s without a description of the associated vulnerability or risk evaluation of the vulnerability in the affected system. I have clicked through on a couple of these links to the Debian.org reports on the vulnerabilities and there are a wide variety of vulnerabilities involved here with reports of public exploits for many of them. Those exploits are not specifically for the Siemens implementation of these processes, but a reasonably competent hacker could probably use them to craft a Siemens specific exploit.

NOTE: Insert standard blurb about 3^rd party vulnerabilities potentially being found in products from other vendors. Fortunately (sarcasm warning) Linux is a rather obscure OS and is seldom seen in real operations. (SIGH)

Schneider Exploit

PHOTUBIAS published an exploit for a session calculation authentication bypass vulnerability in the Schneider Modicon PLCs. This vulnerability was previously reported by ICS-CERT.

NOTE: Exploit-DB.com has ‘updated’ the layout of their site. Larger print in headers, more colorful, but unfortunately harder to read. Too bad.

Moxa Vulnerabilities

Maxim Khazov reports two OS command injection vulnerabilities in the Moxa NPort W2x50A wireless device servers. The report includes proof of concept exploit instructions. Khazov reports that Moxa has fixed these vulnerabilities in a newer version, but it is not clear if this is a coordinated disclosure.

Bonus Non-Disclosure Disclosure

This week OSIsoft released a new version of PI Integrator for Business Analytics. In the release notes (pg 12) OSIsoft notes that:

“For this release of the PI Integrator for Business Analytics, one security vulnerability was identified and fixed. The resolved issue was rated using the Common Vulnerability Scoring System (CVSS).”

The only other information provided was that the CVSS score was rated as low (0.1 to 3.9).

Now I have a lot of respect for OSIsoft’s commitment to security and I am a big fan of their PI Processbook application, but the way OSIsoft has handled this non-disclosure is disappointing. It is great that they have fixed this unidentified, low-risk security vulnerability, but they have provided no security incentive to owners of this product to upgrade to this new version. The other fixes enumerated in the release notes may provide adequate incentive to upgrade, but if folks have not had problems with those listed issues, a defined security problem might make a difference.

BTW: I really hate it when people set security on .PDF documents so that they will not allow cutting and pasting from the documents. Really? I like to make sure that when I quote a document, I do it accurately. Cutting and pasting is the easiest, most efficient way of doing that. Re-typing just sets me up for making errors. And, the quote is still there.