Three Advisories Published – 05-02-19

Yesterday the DHS NCCIC-ICS published three control system security advisories for products from Sierra Wireless, GE, and Orpak

Sierra Wireless Advisory

This advisory describes seven vulnerabilities in the Sierra Wireless AirLink ALEOS. The vulnerabilities were reported by Carl Hurd and Jared Rittle of Cisco Talos. Sierra Wireless reports that the latest version of ALEOS (not all yet available) mitigates the vulnerability. There is no indication that the researchers were provided an opportunity to verify the efficacy of the fix.

The seven reported vulnerabilities are:

• OS command injection - CVE-2018-4061;

• Use of hard-coded credentials - CVE-2018-4062;

• Unrestricted upload of file with dangerous type - CVE-2018-4063

• Cross-site scripting - CVE-2018-4065;

• Cross-site request forgery - CVE-2018-4066;

• Information exposure - CVE-2018-4067; and

• Missing encryption of sensitive data - CVE-2018-4069

The Talos web site lists six additional vulnerabilities (with exploits) {NOTE: the Sierra Wireless advisory (.PDF Download) explains these ‘vulnerabilities’}:

• Information exposure -  CVE-2018-4068;

• Unverified password change - CVE-2018-4064;

• Information disclosure (2) - CVE-2018-4070, CVE-2018-4071; and

• Permission assignment (2) - CVE-2018-4072, CVE-2018-4073

NCCIC-ICS reports that a relatively low-skilled attacker could use publicly available exploits to remotely exploit these vulnerabilities to remotely execute code, discover user credentials, upload files, or discover file paths.

GE Advisory

This advisory describes five vulnerabilities in the General Electric Communicator. Reid Wightman of Dragos. GE has a new version that mitigates the vulnerability. There is no indication that Reid has been provided an opportunity to verify the efficacy of the fix.

The five reported vulnerabilities are:

• Uncontrolled search path (2) - CVE-2019-6564 and CVE-2019-6546;

• Hard-coded credentials - CVE-2019-6548; and

• Improper access controls (2) - CVE-2019-6544 and CVE-2019-6566

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to gain administrative privileges, manipulate widgets and UI elements, gain control over the database, or execute administrative commands.

Orpak Advisory

This advisory describes six vulnerabilities in the Orpak SiteOmat fuel management software. The vulnerabilities were reported by Ido Naor of Kaspersky Lab. Orpak has an update available that mitigates the vulnerability. This is no indication that Naor has been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Use of hard-coded credentials - CVE-2017-14728;

• Cross-site scripting - CVE-2017-14850;

• SQL injection - CVE-2017-14851;

• Missing encryption of sensitive data - CVE-2017-14852;

• Code injection - CVE-2017-14853; and

• Stack-based buffer overflow - CVE-2017-14854

NCCIC-ICS reports that a relatively low-skilled attacker could use publicly available exploits (NOTE: The exploits have been available for over one year) to remotely exploit these vulnerabilities to effect arbitrary remote code execution resulting in possible denial-of-service conditions and unauthorized access to view and edit monitoring, configuration, and payment information.