Public ICS Disclosure – Week of 12-15-18

This week we have five vendor notifications for products from Schneider Electric (3), Yokogawa and 3S (5).

Schneider Advisories

Schneider published an advisory for three vulnerabilities in their EVLink Parking product. The vulnerabilities were reported by Vladimir Kononovich and Vyacheslav Moskvin (Positive

Technologies). Schneider has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three vulnerabilities are:

• Hard-coded credentials - CVE-2018-7800;

• Code injection - CVE-2018-7801; and

• SQL injection - CVE-2018-7802

Schneider published an advisory for an input validation vulnerability in their Pro-Face GP-Pro EX product. The vulnerability was reported by Yu Quiang (ADLab of Venustech). Schneider has a new version that mitigates the vulnerability. Schneider has an update that mitigates the vulnerability. There is no indication that Yu has been provided an opportunity to verify the efficacy of the fix.

Schneider published an advisory for three vulnerabilities in their IIoT Monitor product. The vunlerabilities were reported by rgod via the Zero Day Initiative. Schneider has a new product that mitigates the vulnerability. There is no indication that rgod has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Path traversal - CVE-2018-7835;

• Unrestricted upload of file with dangerous type - CVE-2018-7836; and

• Improper restriction of XML esternal reference entity reference - CVE-2018-7837

NOTE: I expect that we will see these three advisories reported by NCCIC-ICS next week if they are allowed to continue to report during the upcoming financial idiocy. NCCIC will operate, but the ICS reporting function might not be allowed to continue until a funding bill is signed by the President.

Yokogawa Advisory

Yokogawa published an advisory for a denial of service vulnerability in their  Vnet/IP Open

Communication Driver. The vulnerability appears to be self-reported. Yokogawa has a patch for many of the products to mitigate the vulnerability, but many of the affected products are no longer supported.

3S Advisories

3S published an advisory for an information exposure vulnerability in their CODESYS Development System V3. The vulnerability was reported by Heinz Füglister of WRH Walter Reist Holding AG. 3S has a new version that mitigates the vulnerability. There is no indication that Füglister has been provided an opportunity to verify the efficacy of the fix.

3S published an advisory for two denial of service vulnerabilities in their CODESYS V3 products. The vulnerabilities were reported by ABB Switzerland Ltd. and Jérôme Vialle of Schneider Electric. 3S has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

3S published an advisory for two denial of service vulnerabilities in their CODESYS Development System V3 Alarm configuration application. These vulnerabilities are being self-reported. 3S has a new version that mitigates the vulnerabilities.

3S published an advisory for two denial of service vulnerabilities in their CODESYS Control V3 TLS socket communication application. These vulnerabilities were reported by an unidentified OEM customer. 3S has new versions that mitigate the vulnerabilities. There is no indication that the customer was provided an opportunity to verify the efficacy of the fix.

3S published an advisory for two denial of service vulnerabilities in the CODESYS Control V3 Trace Manager application. These vulnerabilities were reported by an unidentified OEM customer. 3S has new versions that mitigate the vulnerabilities. There is no indication that the customer was provided an opportunity to verify the efficacy of the fix.

NOTE: As is obvious from the researchers who identified most of the 3S vulnerabilities, 3S software is used by a number of ICS vendors. It will be interesting to see how many of those vendors self-identify these vulnerabilities in their products. Since 3S does not report CVE numbers for any of these vulnerabilities, it will be hard to track.