Public ICS Disclosures – Week of 05-11-19

This week we have 14 vendor disclosures for products from Yokogawa, Drager, Tridium, Siemens and Schneider (10). We also have three researcher reported disclosures for products from Prima Systems, Optergy, and Computrols. Then there are five reported exploits for products from SOCA (4) and Schneider. There were also some vendor reports on the Microsoft RDP vulnerability.

Microsoft RDP Vulnerability

While the NCCIC-ICS has yet to release an alert or advisory on the Microsoft® RDP vulnerability (CVE-2019-0708), a number of control system vendors this week have released their own outlook on the vulnerability in their products. The vendors include:

• BD;

• Drager;

• Philips;

• Schneider; and

• Siemens

Yokogawa Advisory

Yokogawa published an advisory describing another 3^rd party vulnerability from Microsoft in a number of Yokogawa products. The remote code execution vulnerability was reported by MS in 2017. Yokogawa recommends deleting the outdate MS file.

Drager Advisory

Drager has published an advisory describing an unencrypted credential storage vulnerability in their Dräger ServiceConnect Client. The vulnerability was reported by a customer. Drager will be publishing a new version that mitigates the vulnerability and has provided specific workarounds in the meantime.

Tridium Advisory

Tridium has published an advisory describing a 3^rd part vulnerability from Google (CVE-2019-5786) in the Tridium jxBrowser. Tridium has an updated version available to mitigate the vulnerability.

Siemens Advisory

Siemens published an advisory describing a code execution vulnerability in the Siemens LOGO! Soft Comfort engineering software. The vulnerability was reported by axt and iDefense Labs. Siemens has provided generic workarounds to mitigate the vulnerability.

NOTE: This was included in the Siemens tranche from Tuesday, but it was not picked up by NCCIC-ICS with the rest.

Schneider Advisories

1. Pelco Endura NET55XX Encoder

Schneider has published an advisory describing an improper access control vulnerability in the Schneider Pelco Endura NET55XX Encoder. The vulnerability was reported by Vitor Esperança. Schneider has a new version that mitigates the vulnerability. There is no indication that Esperança has been provided an opportunity to verify the efficacy of the fix.

2. Modicon and PacDrive Controllers

Schneider has published an advisory describing a missing authentication for critical function vulnerability in the Schneider Modicon and PacDrive Controllers. The vulnerability was reported by Yehuda A (Claroty). Schneider has provided specific workarounds to mitigate the vulnerability. There is no indication that Claroty has been provided an opportunity to verify the efficacy of the fix.

3. Floating License Manager

Schneider has published an advisory describing three vulnerabilities in the Schneider  Floating License Manager. Schneider has a new version that mitigates the vulnerabilities.

The three reported vulnerabilities are:

• Denial of service vulnerability (2) - CVE-2018-20032 and CVE-2018-20034; and

• Remote code execution vulnerability - CVE-2018-20033;

4. Modicon Controller

Schneider has published an advisory describing an improper check for unusual or exceptions condition vulnerability in the Schneider Modicon Controller. The vulnerability was reported by Zhang Xiaoming, Zhang Jiawei, Sun Zhonghao and Luo bing from CNCERT/CC. Schneider has a new version that mitigates the vulnerability. There is no  indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

5. Modicon RTU Module

Schneider has published an advisory describing a hard-coded credentials vulnerability in the Schneider Modicon RTU Module. The vulnerability was reported by VAPT Team. Schneider has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

6. ConneXium Gateway

Schneider has published an advisory describing a cross-site scripting vulnerability in the Schneider ConneXium Gateway. The vulnerability was reported by Ezequiel Fernandez. Schneicder recommends upgrading to a new product.

7. Modicon Quantum

Schneider has published an advisory describing a credentials management vulnerability in the Schneider Modicon Quantum. The vulnerability was reported by Chansim Deng. Schneider reports that newer versions mitigate the vulnerability. There is no indication that Chansim has been provided an opportunity to verify the efficacy of the fix.

8. Modicon Quantum

Schneider has published an advisory describing two vulnerabilities in the Schneider Modicon Quantum. The vulnerabilities were reported by Vyacheslav Moskvin and Ivan Kurnakov (Positive

Technologies). Schneider recommends upgrading to a new product.

The two reported vulnerabilities are:

• Permission, privileges and access control - CVE-2019-6815; and

• Code injection - CVE-2019-6816

9. Modicon Controller

Schneider has published an advisory describing a buffer errors vulnerability in the Schneider Modicon Controller. The vulnerability was reported by Nikita Maximov and Alexey Stennikov of Positive Technologies. Schneider has new firmware versions available to mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

10. Intel Microarchitectural Data Sampling

Schneider has published an advisory describing the impact of the Intel  Microarchitectural Data Sampling (aka: ZombieLoad, FallOut, and RIDL) vulnerability in Schneider products.

Prima Systems Report

Prime Risk has published a report [updated link - 7-30-19] describing ten vulnerabilities in the Prima Systems FlexAir Access Control Platform. Prima Systems has a new version that reportedly mitigates the vulnerabilities.

The ten reported vulnerabilities are:

• Default credentials;

• Command injection;

• Unrestricted file upload;

• Insufficient session-ID length;

• Cross-site scripting;

• Cross-site request forgery;

• Predictable database name download;

• Authentication with MD5 hash;

• Hard-coded credentials;

• Authenticated script upload code execution

Optergy Proton Report

Applied Risk published a report describing six vulnerabilities in the Optergy Proton Enterprise Building Management System. Optergy has a new firmware version that reportedly mitigates the vulnerabilities.

The six reported vulnerabilities are:

• Open redirect;

• Cross-site script forgery;

• Unrestricted file upload;

• Information disclosure;

• Hard-coded credentials and SMS messages;

• Back-door console.

Computrols Report

Applied Risk published a report describing ten vulnerabilities in the Computrols CBAS-Web Building Management System. Computrols has a new firmware version that reportedly mitigates the vulnerabilities.

The ten reported vulnerabilities are:

• Cross-site scripting;

• Cross-site request forgery;

• Username enumeration;

• Source code disclosure;

• Default credentials;

• Hard-coded encryption key;

• Authenticated blind sql injection;

• Authentication bypass;

• Authenticated command injection; and

• Mishandling of password hashes.

SOCA Exploits

Zero Science published exploits for four separate vulnerabilities in the SOCA Access Control System 180612. The vulnerabilities exploited are:

• Cross-site request forgery;

• SQL injection and authentication bypass;

• Reflected cross-site scripting; and

• Information disclosure

There is no reference to vendor notification or mitigation measures. I assume that these are zero-day exploits.

Schneider Exploit

RCE Security published an exploit for a command injection vulnerability in the Schneider U.Motion Builder. Schneider reported this vulnerability earlier this year.