Public ICS Disclosure – Week of 06-08-19

This week we have two new vendor notifications from Schneider and 18 researcher reports from Talos of vulnerabilities in products from Schneider. We also have four updated notifications from Schneider (2) and Siemens (2). Additionally, we have two vendor updates for advisories about the Microsoft® RDP vulnerability from Philips and Drager.

Schneider Advisories

1. Schneider published an advisory for a credential exposure vulnerability in the Schneider PowerSCADA Expert product (NOTE: According to Schneider this also affects the AVEVA CitecSCADA, but no AVEVA advisory has yet been published). This vulnerability is apparently self-reported. Schneider has a new version that mitigates the vulnerability.

2. Schneider published an advisory for three vulnerabilities in the Schneider ProClima product. The vulnerabilities were reported by Kushal Arvind Shah (Fortinet), Telus, and Haojun Hou and

Yongjun Liu (NSFOCUS). Schneider has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Code injection - CVE-2019-6823;

• Buffer errors - CVE-2019-6824; and

• Uncontrolled search path element - CVE-2019-6825

Talos Reports on Schneider Vulnerabilities

Talos has provided reports with exploits on 18 vulnerabilities in two products from Schneider; Modicon 580 UMAS and UnityPro PLC. These are coordinated disclosures, but Schneider has not yet published advisories for these vulnerabilities. Because of the volume I am not going to attempt to go into details.

Modicon 580 UMAS

• Information disclosure - CVE-2018-7845;

• Denial of service - CVE-2018-7854;

• Denial of service - CVE-2018-7853;

• Denial of service - CVE-2018-7849;

• Improper authentication - CVE-2018-7842;

• Unauthenticated file write - CVE-2018-7847;

• Denial of service - CVE-2018-7855;

• Denial of service - CVE-2019-6807;

• Denial of service - CVE-2018-7856;

• Information disclosure - CVE-2018-7844;

• Information disclosure - CVE-2019-6806;

• Information disclosure - CVE-2018-7848;

• Denial of service - CVE-2018-7852;

• Denial of service - CVE-2018-7846;

• Denial of service - CVE-2018-7857; and

• Denial of service - CVE-2018-7843

UnityPro

• Remote code execution - CVE-2019-6808;

• Untrusted inputs - CVE-2018-7850;

NOTE: There are still 10 reports pending on Schneider vulnerabilities on the Talos Zeroday Reports web page. Someone has been spending a great deal of time testing Schneider equipment.

Schneider Updates

1. Schneider updated an advisory for the Schneider Embedded Web Servers for Modicon V2 (Note: this has not been reported by NCCIC-ICS). The new information is the addition of researcher acknowledgements.

2. Schneider updated an advisory for the Schneider – U.motion Builder software (Note: this has not been reported by NCCIC-ICS). Schneider is reporting that this vulnerability has been exploited by Mirai malware. Schneider is making an unusual recommendation: “It is imperative customers cease using U.motion Builder software and remove it from their systems immediately.”

Siemens Updates

1. Siemens updated an advisory for Foreshadow/L1 terminal fault vulnerabilities in Industrial Products (Note: this has not been reported by NCCIC-ICS). The new information is added mitigation measures for:

• SIMATIC S7-1500 Software Controller;

• SIMATIC ET 200 SP Open Controller; and

• SIMATIC ET 200 SP Open Controller (F)

2. Siemens updated an advisory for Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 CPU. The update adds information for new firmware V2.6.1

RDP Vulnerability

Two vendor advisories were updated this week:

• Philips; and

• Drager