Public ICS Disclosures – Week of 02-09-19

This week we have five vendor disclosures for products from Kunbus, Schneider (3) and Rockwell; five vendor updates from Siemens; one coordinated disclosure for products from Resource Data Management and one exploit for a previously disclosed vulnerability for products from AVEVA.

Kunbus Advisory

Kunbus published an advisory for five vulnerabilities in its KUNBUS-GW Modbus TCP PR100088 product. The vulnerabilities were reported by Nicolas Merle of Applied Risk. Kunbus is working on an update to mitigate the vulnerabilities.

The five reported vulnerabilities are:

• Conditional authentication bypass;

• Missing authentication for critical function;

• Denial of service;

• Publication of information by parameter data in an HTTP GET request; and

• Plain text storage of passwords

Schneider Advisories

Schneider has published an advisory describing six vulnerabilities in its Sarix Enhanced and Spectra Enhanced cameras. The vulnerabilities were reported by Deng Yongkai (NSFOCUS) and Gjoko Krstic (Zero Science). Schneider has a new firmware version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• A permissions, privileges, and access control vulnerability - CVE-2018-7816;

• A command injection vulnerability (2) - CVE-2018-7825 and CVE-2018-7826;

• A cross-site scripting (XSS) vulnerability (2) - CVE-2018-7827 and CVE-2018-7828; and

• An improper neutralization of special elements in query vulnerability - CVE-2018-7829

Schneider has published an advisory describing a buffer error vulnerability in its Vijeo Designer Lite software. The vulnerability is self-reported. Schneider has provided generic mitigations as the product has reached end-of-life status.

Schneider has published an advisory describing three vulnerabilities in its  Modicon M221 and

SoMachine Basic products. The vulnerabilities were reported by Matthias Niedermaier (Hochschule Augsburg), Jan-Ole Malchow (Freie Universität Berlin), Florian Fischer (Hochschule Augsburg) and Reid Wightman (Dragos Inc.). Schneider has updates available to mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• An environment vulnerability (2) - CVE-2018-7821 and CVE-2018-7823; and

• An incorrect default permissions vulnerability - CVE-2018-7822

Rockwell Advisory

Rockwell has published an advisory describing two vulnerabilities in its PowerMonitor 1000 monitor that were publicly reported (with exploits) in December (here and here) by Luca Chiou. Rockwell has provided generic mitigation measures pending development of updates. It also provides a link to intrusion prevention system (by CheckPoint) rules to detect the cross-site scripting vulnerability.

The two reported vulnerabilities are:

• Cross-site scripting - CVE-2019-19615; and

• Authentication bypass - CVE-2019-19616

 Siemens Updates

Siemens published an update for their advisory on Spectre and Meltdown Vulnerabilities in Industrial Products. They added updated affected version data and provided links to mitigations for:

• SIMATIC ET 200 SP Open Controller; and

• SIMATIC IPC547E

NOTE: NCCIC-ICS updated their alert (ICS-ALERT-18-011-01) for this vulnerability when Siemens added a new advisory. That technically included this update since the link provided in the alert goes to the latest version of the Siemens advisory.

Siemens published an update for their advisory on Spectre-NG (Variants 3a and 4) Vulnerabilities in Industrial Products. They added updated version data and provided links to mitigations for:

• SIMATIC ET 200 SP Open Controller:

• SIMATIC ET 200 SP Open Controller (F);

• SIMATIC S7-1500 Software Controller;

• SIMATIC IPC547E;

• SIMATIC ITP1000;

• SIMATIC IPC3000 SMART V2;

• SIMATIC IPC347E;

• SIMATIC HMI Basic; and

• Panels 2nd Generation:

They also removed the following unaffected products from the advisory:

• SIMATIC IPC227E;

• SIMATIC IPC277E;

• SIMATIC IPC327E; and

• SIMATIC IPC377E

NOTE: NCCIC-ICS is expected to update their advisory.

Siemens published an update for their advisory on Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP. They added two additional vulnerabilities to the list for these products:

• CVE-2018-1000876; and

• CVE-2018-16862

NOTE: NCCIC-ICS has not published an advisory/alert on these vulnerabilities.

Siemens has published an update for their advisory on Denial-of-Service in SICAM A8000 Series. They updated the CVSS vector due to known exploit.

Siemens has published an update for their advisory on Foreshadow / L1 Terminal Fault Vulnerabilities in Industrial Products. They updated the affected version data and provided links to the mitigation measures for:

• SIMATIC IPC547E;

• SIMATIC IPC547G;

• SIMATIC ITP1000;

• SIMATIC IPC3000 SMART V2; and

• SIMATIC IPC347E

They also removed the following unaffected products from the advisory:

• SIMATIC IPC227E;

• SIMATIC IPC277E;

• SIMATIC IPC327E; and

• SIMATIC IPC377E

NOTE: NCCIC-ICS has not published an advisory/alert on these vulnerabilities.

Resource Data Management

Safety Detective published an article describing default credential vulnerabilities for commercial refrigeration systems from Resource Data Management. The article describes how the researchers were able to locate vulnerable systems, change settings, and manipulate controls in systems in hospitals and stores.

AVEVA Exploit

Jacob Baines published an exploit for vulnerabilities in the AVEVA InduSoft Web Studio. The vulnerabilities were reported by NCCIC-ICS earlier this month.