3 Advisories Published – 06-13-19

Today the DHS NCCIC-ICS published two control system security advisories for products from WAGO and Johnson Controls. They also published a medical device security advisory for products from BD.

WAGO Advisory

This advisory describes three vulnerabilities in the WAGO 852 Industrial Managed Switches. The vulnerability was reported by T. Weber of SEC Consult Vulnerability Lab. WAGO reports that the latest firmware for the affected products mitigate the vulnerabilities. There is no indication that Weber has been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Use of hard-coded credentials - CVE-2019-12550;

• Use of hard-coded cryptographic key - CVE-2019-12549;

• Use of components with known vulnerabilities

Note: The CERT VDE advisory lists the following component vulnerabilities:

• BusyBox (v 1.12.0) - CVE-2013-1813, CVE-2016-2148, CVE-2016-6301, CVE-2011-2716, CVE-2011-5325, CVE-2015-9261, CVE-2016-2147, CVE-2017-16544 etc.; and

• GNU glibc (v 2.8) - CVE-2010-0296, CVE-2010-3856, CVE-2012-4412, CVE-2014-4043, CVE-2014-9402, CVE-2014-9761, CVE-2014-9984, CVE-2015-14 etc.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to allow a compromise of the managed switch, resulting in disruption of communication, and root access to the operating system. The SEC Consult report includes proof of concept code for the first two vulnerabilities.

Johnson Controls Advisory

This advisory describes an improper authorization vulnerability in the Johnson Controls exacqVision Enterprise System Manager. The vulnerability was reported by @bzyo_. Johnson Controls reports that the latest version mitigates the vulnerability. There is no indication that @bzyo_ has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to allow malicious code execution.

BD Advisory

This advisory describes two vulnerabilities in the BD Alaris Gateway Workstation. The vulnerability was reported by Elad Luz of CyberMDX. BD reports that the latest firmware mitigates the first vulnerability and provides generic mitigations for the second. The is no indication that Luz has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper access control - CVE-2019-10962; and

• Unrestricted upload of file with dangerous type - CVE-2019-10959

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to view and edit device status and configuration details as well as cause devices to become unavailable.