1 Alert, 3 Advisories and 4 Updates Published – 08-13-19

Today the DHS NCCIC-ICS published a control system security alert for products from Mitsubishi Electric; three control system security advisories for products from Siemens, OSIsoft, and Delta Industrial; and four control system advisory updates for products from Siemens.

Mitsubishi Alert

This alert describes a report of seven vulnerabilities in the Mitsubishi smartRTU and INEA ME-RTU. The vulnerabilities were reported (with exploit code) by Mark Cross (@xerubus) (NCCIC-ICS did provide the link to the report, a first). Cross disclosed the vulnerabilities to CISA and published the public disclosure under the 45-day disclosure policy.

The seven reported vulnerabilities are:

• OS command injection - CVE-2019-14931;

• Unauthenticated download of configuration file - CVE-2019-14927;

• Stored cross-site script - CVE-2019-14928;

• Use of hard-coded cryptographic keys - CVE-2019-14926;

• Hard-coded user passwords - CVE-2019-14930;

• Plaintext password storage - CVE-2019-14929; and

• Incorrect default permissions - CVE-2019-14925

Siemens Advisory

This advisory describes an uncontrolled resource consumption vulnerability in the Siemens SCALANCE X switches. The vulnerability was reported by Younes Dragoni from Nozomi Networks. Siemens has provided generic workarounds. There is no indication that Dragoni has been provided an opportunity to verity the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to cause a denial-of-service condition.

OSIsoft Advisory

This advisory describes two vulnerabilities in the OSIsoft PI Web API. The vulnerabilities are self-reported. OSIsoft has an update to mitigate the vulnerability.

The two reported vulnerabilities are:

• Inclusion of sensitive information in log files - CVE-2019-13515; and

• Protection mechanism failure.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerabilities to allow direct attacks against the product and disclose sensitive information.

Delta Advisory

This advisory describes two vulnerabilities in the Delta DOPSoft Human Machine Interface (HMI) editing software. The vulnerability was reported by kimiya of 9SG Security Team via the Zero Day Initiative. Delta has a new version that mitigates the vulnerabilities. There is no indication that kimiya has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Out-of-bounds read - CVE-2019-13513; and

• Use after free - CVE-2019-13514

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow information disclosure, remote code execution, or crash of the application.

SIMATIC WinCC Update

This update provides additional information on an advisory that was originally reported on July 11^th, 2019. The update provides new affected version information and mitigation links for:

• SIMATIC WinCC V7.3;

• SIMATIC PCS 7 V8.1, and

• SIMATIC WinCC Runtime Professional V14

Spectrum Power Update

This update provides additional information on an advisory that was originally reported on July 9^th, 2019. The update provides corrected version information for Spectrum Power 5.

SIPROTEC Update

This update provides additional information on an advisory that was originally reported on July 9^th, 2019. The update provides additional mitigation information.

SIMATIC PCS7 Update

This update provides additional information on an advisory that was originally reported on July 9^th, 2019. The update provides corrected version information and mitigation links for:

• SIMATIC WinCC V7.3; and

• SIMATIC PCS 7 V8.1

NOTE: Siemens published an additional two advisories and two updates today that were not reported by NCCIC-ICS. They may be reported on Thursday, if not, I will report on them on Saturday.