6 Advisories Published – 06-27-19

Yesterday the DHS NCCIC-ICS published five control system security advisories for products from Advantech, SICK AG, and ABB (3). They also published a medical device security advisory for products from Medtronic.

Advantech Advisory

This advisory describes six vulnerabilities in the Advantech WebAccess/SCADA software platform. The vulnerabilities were reported by Mat Powell, Natnael Samson (@NattiSamson) and EljahLG via the Zero Day Initiative. Advantech has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Path traversal - CVE-2019-10985;

• Stack-based buffer overflow - CVE-2019-10991;

• Heap-based buffer overflow - CVE-2019-10989;

• Out-of-bounds read - CVE-2019-10983;

• Out-of-bounds write - CVE-2019-10987; and

• Untrusted pointer dereference - CVE-2019-10993

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow information disclosure, deletion of files, and remote code execution.

SICK Advisory

This advisory describes a use of hard-coded credentials vulnerability in the SICK MSC800 PLC. The vulnerability was reported by Tri Quach of Amazon’s Customer Fulfillment Technology Security (CFTS) group. SICK has new firmware that mitigates the vulnerability. There is no indication that Quach has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow a low-skilled remote attacker to reconfigure settings and/or disrupt the functionality of the device.

CP 635 Advisory

This advisory describes a use of hard-coded credentials vulnerability in the ABB CP620 and CP635 HMI products. The vulnerability is self-reported. ABB has an update available that mitigates the vulnerability.

The ABB advisory describes two other vulnerabilities with these products and reports that the vulnerabilities were reported by Xen1thLabs. The individual vulnerability reports from Xen1thLabs (see links below) include proof of concept exploits.

The three reported vulnerabilities are:

• Out-dated software components – multiple OpenSSL CVE;

• Hard-coded credentials - CVE-2019-7225; and

• Absence of signature verification - CVE-2019-7229

NCCIC-ICS reports that a relatively low-skilled attacker on an adjacent network could exploit the (single reported?) vulnerability to allow an attacker to prevent legitimate access to an affected system node, remotely cause an affected system node to stop, take control of an affected system node, or insert and run arbitrary code in an affected system node.

CP 651 Advisory

This advisory describes a use of hard-coded credentials vulnerability in the ABB CP651, CP665 and CP676 HMI products. The vulnerability is self-reported. ABB has an update available that mitigates the vulnerability.

The ABB advisory describes the same two other vulnerabilities with these products and reports that the vulnerabilities were discovered based upon the work of Xen1thLabs on the CP 635 vulnerabilities reported above.

NCCIC-ICS reports that a relatively low-skilled attacker on an adjacent network could exploit the (single reported?) vulnerability to allow an attacker to prevent legitimate access to an affected system node, remotely cause an affected system node to stop, take control of an affected system node, or insert and run arbitrary code in an affected system node.

Panel Builder Advisory

This advisory describes seven vulnerabilities in the ABB PB610 Panel Builder 600 engineering tool. The vulnerability was reported by Xen1thLabs. ABB has new versions available that mitigate the vulnerabilities. There is no indication that Xen1thLabs has been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities (with links to the Xen1thLabs reports; reports which contain proof of concept exploit code) are:

• Use of hard-coded credentials - CVE-2019-7225;

• Improper authentication - CVE-2019-7226;

• Relative path traversal - CVE-2019-7227;

• Improper input validation (2) - CVE-2019-7228 and CVE-2019-7230; and

• Stack-based buffer overflow - CVE-2019-7231

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit these vulnerabilities to prevent legitimate access to an affected system node, remotely cause an affected system node to stop, take control of an affected system node, or insert and run arbitrary code in an affected system node.

Medtronic Advisory

This advisory describes an improper access control vulnerability in the Medtronic MiniMed 508 and Paradigm Series Insulin Pumps. The vulnerability is self-reported, but NCCIC-ICS notes that the internal investigation by Medtronic was guided by previous work from outside researchers on other Medtronic products. Medtronic suggests upgrading to a newer product. The FDA advisory on this product notes that Medtronic is recalling the affected insulin pumps.

NCCIC-ICS reports that an uncharacterized attacker with adjacent access (radio frequency access according to the Medtronic advisory) could exploit this vulnerability to intercept, modify, or interfere with the wireless RF (radio frequency) communications to or from the product. This may allow attackers to read sensitive data, change pump settings, or control insulin delivery.