This week we have 14 vendor disclosures for products from
Yokogawa, Drager, Tridium, Siemens and Schneider (10). We also have three
researcher reported disclosures for products from Prima Systems, Optergy, and Computrols.
Then there are five reported exploits for products from SOCA (4) and Schneider.
There were also some vendor reports on the Microsoft RDP vulnerability.
Microsoft RDP Vulnerability
While the NCCIC-ICS has yet to release an alert or advisory
on the Microsoft® RDP vulnerability (
CVE-2019-0708),
a number of control system vendors this week have released their own outlook on
the vulnerability in their products. The vendors include:
Yokogawa Advisory
Yokogawa published
an
advisory describing another 3
rd party vulnerability from
Microsoft in a number of Yokogawa products. The remote code execution vulnerability
was
reported by MS in 2017. Yokogawa recommends deleting the outdate MS file.
Drager Advisory
Drager has published
an
advisory describing an unencrypted credential storage vulnerability in
their Dräger ServiceConnect Client. The vulnerability was reported by a
customer. Drager will be publishing a new version that mitigates the
vulnerability and has provided specific workarounds in the meantime.
Tridium Advisory
Tridium has published an advisory describing a 3
rd
part vulnerability from Google (
CVE-2019-5786)
in the Tridium jxBrowser. Tridium has an updated version available to mitigate
the vulnerability.
Siemens Advisory
Siemens published
an
advisory describing a code execution vulnerability in the Siemens LOGO!
Soft Comfort engineering software. The vulnerability was reported by axt and iDefense
Labs. Siemens has provided generic workarounds to mitigate the vulnerability.
NOTE: This was included in the Siemens tranche from Tuesday,
but it was not picked up by NCCIC-ICS with the rest.
Schneider Advisories
1. Pelco Endura NET55XX Encoder
Schneider has published
an
advisory describing an improper access control vulnerability in the
Schneider Pelco Endura NET55XX Encoder. The vulnerability was reported by Vitor
Esperança. Schneider has a new version that mitigates the vulnerability. There
is no indication that Esperança has been provided an opportunity to verify the
efficacy of the fix.
2. Modicon and PacDrive Controllers
Schneider has published
an
advisory describing a missing authentication for critical function
vulnerability in the Schneider Modicon and PacDrive Controllers. The vulnerability
was reported by Yehuda A (Claroty). Schneider has provided specific workarounds
to mitigate the vulnerability. There is no indication that Claroty has been
provided an opportunity to verify the efficacy of the fix.
3. Floating License Manager
Schneider has published
an
advisory describing three vulnerabilities in the Schneider
Floating License Manager. Schneider has a new
version that mitigates the vulnerabilities.
The three reported vulnerabilities
are:
• Denial of service vulnerability (2) - CVE-2018-20032
and CVE-2018-20034; and
• Remote code execution vulnerability - CVE-2018-20033;
4. Modicon Controller
Schneider has published
an
advisory describing an improper check for unusual or exceptions condition vulnerability
in the Schneider Modicon Controller. The vulnerability was reported by Zhang
Xiaoming, Zhang Jiawei, Sun Zhonghao and Luo bing from CNCERT/CC. Schneider has
a new version that mitigates the vulnerability. There is no
indication that the researchers have been
provided an opportunity to verify the efficacy of the fix.
5. Modicon RTU Module
Schneider has published
an
advisory describing a hard-coded credentials vulnerability in the Schneider
Modicon RTU Module. The vulnerability was reported by VAPT Team. Schneider has
a new version that mitigates the vulnerability. There is no indication that the
researchers have been provided an opportunity to verify the efficacy of the
fix.
6. ConneXium Gateway
Schneider has published
an
advisory describing a cross-site scripting vulnerability in the Schneider ConneXium
Gateway. The vulnerability was reported by Ezequiel Fernandez. Schneicder
recommends upgrading to a new product.
7. Modicon Quantum
Schneider has published
an
advisory describing a credentials management vulnerability in the Schneider
Modicon Quantum. The vulnerability was reported by Chansim Deng. Schneider
reports that newer versions mitigate the vulnerability. There is no indication
that Chansim has been provided an opportunity to verify the efficacy of the
fix.
8. Modicon Quantum
Schneider has published
an
advisory describing two vulnerabilities in the Schneider Modicon Quantum. The
vulnerabilities were reported by Vyacheslav Moskvin and Ivan Kurnakov (Positive
Technologies). Schneider recommends
upgrading to a new product.
The two reported vulnerabilities
are:
• Permission, privileges and access control - CVE-2019-6815;
and
• Code injection - CVE-2019-6816
9. Modicon Controller
Schneider has published
an advisory describing a buffer errors
vulnerability in the Schneider Modicon Controller. The vulnerability was
reported by Nikita Maximov and Alexey Stennikov of Positive Technologies.
Schneider has new firmware versions available to mitigate the vulnerability.
There is no indication that the researchers have been provided an opportunity
to verify the efficacy of the fix.
10. Intel Microarchitectural Data
Sampling
Schneider has published
an
advisory describing the impact of the
Intel
Microarchitectural Data Sampling (aka:
ZombieLoad, FallOut, and RIDL)
vulnerability in Schneider products.
Prima Systems Report
Prime Risk has published
a report [updated link - 7-30-19] describing ten vulnerabilities in the Prima Systems FlexAir Access
Control Platform. Prima Systems has a new version that reportedly mitigates the
vulnerabilities.
The ten reported vulnerabilities are:
• Default credentials;
• Command injection;
• Unrestricted file upload;
• Insufficient session-ID length;
• Cross-site scripting;
• Cross-site request forgery;
• Predictable database name download;
• Authentication with MD5 hash;
• Hard-coded credentials;
• Authenticated script upload code execution
Optergy Proton Report
Applied Risk published
a
report describing six vulnerabilities in the Optergy Proton Enterprise
Building Management System. Optergy has a new firmware version that reportedly
mitigates the vulnerabilities.
The six reported vulnerabilities are:
• Open redirect;
• Cross-site script forgery;
• Unrestricted file upload;
• Information disclosure;
• Hard-coded credentials and SMS messages;
• Back-door console.
Computrols Report
Applied Risk published
a
report describing ten vulnerabilities in the Computrols CBAS-Web Building
Management System. Computrols has a new firmware version that reportedly
mitigates the vulnerabilities.
The ten reported vulnerabilities are:
• Cross-site scripting;
• Cross-site request forgery;
• Username enumeration;
• Source code disclosure;
• Default credentials;
• Hard-coded encryption key;
• Authenticated blind sql injection;
• Authentication bypass;
• Authenticated command injection; and
• Mishandling of password hashes.
SOCA Exploits
Zero Science published exploits for four separate
vulnerabilities in the SOCA Access Control System 180612. The vulnerabilities
exploited are:
There is no reference to vendor notification or mitigation
measures. I assume that these are zero-day exploits.
Schneider Exploit
RCE Security published
an exploit for a command
injection vulnerability in the Schneider U.Motion Builder. Schneider
reported
this vulnerability earlier this year.