2 Advisories and 1 Alert Published – 07-30-19

Today the DHS NCCIC-ICS published a control system security alert for CAN bus network implementation in avionics and two control system security advisories for products from Prima Systems ad Wind River.

CAN Bus Alert

This alert briefly describes a public report about insecure implementation of CAN bus networks affecting aircraft. The report was published by Patrick Kiley of Rapid7.

Prima Systems Advisory

This advisory describes nine vulnerabilities in the Prima Systems FlexAir access control platform. The vulnerabilities were reported by Gjoko Krstic of Applied Risk. Prima Systems has a new version that mitigates the vulnerabilities. There is no indication that Krstic has been provided an opportunity to verify the efficacy of the fix.

The nine reported vulnerabilities are:

• OS command injection - CVE-2019-7670;

• Unrestricted upload of file with dangerous type (2) - CVE-2019-7669 and CVE-2019-9189;

• Cross-site request forgery - CVE-2019-7281;

• Small space of random values - CVE-2019-7280;

• Cross-site scripting - CVE-2019-7671;

• Exposure of a backup file to an unauthorized control sphere - CVE-2019-7667;

• Improper authentication - CVE-2019-7666; and

• Use of hard-coded credentials - CVE-2019-7672

NOTE 1: NCCIC-ICS does not include a default credentials vulnerability, CVE-2019-7668, reported by Krstic.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to execute commands directly on the operating system, upload malicious files, perform actions with administrative privileges, execute arbitrary code in a user’s browser, discover login credentials, bypass normal authentication, and have full system access.

NOTE 2: I briefly described the Rapid7 report back in May.

Wind River Advisory

This advisory describes eleven vulnerabilities in the Wind River VxWorks operating system. The vulnerabilities were reported by Armis researchers Gregory Vishnepolsky, Dor Zusman, and Ben Seri. Wind River has patches to mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The eleven reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2019-12256;

• Heap-based buffer overflow - CVE-2019-12257;

• Integer underflow - CVE-2019-12255;

• Improper restrictions of operations within the bounds of a memory buffer (2) - CVE-2019-12260 and CVE-2019-12261;

• Race condition - CVE-2019-12263;

• Argument injection or modification (4) - CVE-2019-12258, CVE-2019-12262, CVE-2019-12264 and CVE-2019-12265; and

• Null pointer dereference - CVE-2019-12259;

Since the affected operating systems are used in a large number of IoT and ICS systems we can expect advisories from affected vendors implementing the Wind River mitigations measures. The NCCIC-ICS advisory already lists 2 vendor advisories and the Armis report adds a third. The three vendor advisories available to date include:

• Rockwell,

• Xerox, and

• SonicWall

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow remote code execution.