Thursday, January 17, 2019

Three Advisories Published – 01-17-19


Today the DHS NCCIC-ICS published three control system security advisories for products from ControlByWeb, ABB and Omron.

ControlByWeb Advisory


This advisory describes two vulnerabilities in the ControlByWeb X-320M web-enabled weather station. The vulnerabilities were reported by John Elder and Tom Westenberg of Applied Risk. ControlByWeb has a firmware update that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper authentication - CVE-2018-18881; and
Cross-site scripting - CVE-2018-18882

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow arbitrary code execution and could cause the device being accessed to require a physical factory reset to restore the device to an operational state.

ABB Advisory


This advisory describes an improper input validation vulnerability in the ABB CP400 Panel Builder TextEditor. The vulnerability was reported by Ivan Sanchez of NullCode. ABB has a new version that mitigates the vulnerability. There is no indication that Sanchez has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to allow an attacker to execute arbitrary code and cause a denial-of-service condition within the Text Editor application. The ABB security advisory reports that a social engineering attack would be required to get an operator to load a specially crafted file.

NOTE: I briefly discussed this vulnerability back in early December.

Omron Advisory


This advisory describes five vulnerabilities in the Omron CX-Supervisor. The vulnerabilities were reported by Esteban Ruiz (mr_me) of Source Incite via the Zero Day Initiative. Omron has a new version that mitigates the vulnerabilities. There is no indication that Ruiz has been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• Code injection - CVE-2018-19011;
• Command injection (2) - CVE-2018-19013 and CVE-2018-19015;
• Use after free - CVE-2018-19017; and
• Type confusion - CVE-2018-19019

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit these vulnerabilities to cause a denial-of-service condition, and/or allow an attacker to achieve code execution with privileges within the context of the application.

NOTE: The Omron release notes for the new version recommended in this NCCIC-ICS advisory lists 8 ZDI reported vulnerabilities (no details currently available on ZDI site) corrected and a couple of other cybersecurity improvements that are included.

No comments:

 
/* Use this with templates/template-twocol.html */