2 Advisories and an Update Published – 01-08-19

Today the DHS NCCIC-ICS published two control system security advisories and an update for a previously published advisory; all for products from Schneider Electric.

IIoT Monitor Advisory

This advisory describes three vulnerabilities in the Schneider IIoT Monitor monitoring platform. The vulnerabilities were reported by rgod via the Zero Day Initiative. Schneider has new software available that mitigates the vulnerabilities. There is no indication that rgod has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Path traversal - CVE-2018-7835;

• Unrestricted upload of a file with dangerous type - CVE-2018-7836; and

• XXE - CVE-2018-7837

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to

Zelio Soft 2 Advisory

This advisory describes a use after free vulnerability in the Schneider Zelio Soft programing platform. The vulnerability was reported by rgod and mdm of 9SG Security Team via ZDI. Schneider has a new version that mitigates the vulnerability. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow for remote code execution when opening a specially crafted project file.

NOTE: I briefly discussed this vulnerability last Saturday.

U.motion Builder Update

This update provides additional information on an advisory that was originally published on June 29^th, 2017. The new information includes:

• Adding the other 17 vulnerabilities that I mentioned in the original post; and

• Report of a firmware update that mitigates ‘most of these vulnerabilities’;

NOTE: The latest revised Schneider advisory (v5) that was published on November 20^th, 2018 reports that the firmware update only mitigates six of the vulnerabilities.

Siemens Update

This is the second Tuesday in January and Siemens published five new advisories and seven updates this morning. None made it to the NCCIC-ICS site today. I expect that we should start seeing most of them tomorrow.