6 Advisories Published – 09-12-19

Yesterday the DHS NCCIC-ICS published five control system security advisories for products from 3S and a medical device security advisory for products from Philips.

Communication Server Advisory

This advisory describes a detection of error condition without action vulnerability in the CODESYS V3 products containing a CODESYS communication server. The vulnerability was reported by Martin Hartmann from cirosec GmbH. 3S has a new version that mitigates the vulnerability. There is no indication that Hartmann has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to cause a denial-of-service condition.

OPC UA Server Advisory

This advisory describes a null pointer dereference vulnerability in the CODESYS Control V3 OPC UA Server. The vulnerability is self-reported. 3S has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to cause a denial-of-service condition.

Online User Management Advisory

This advisory describes an incorrect permission assignment for critical resource vulnerability in the CODESYS Control V3 online user management. The vulnerability is apparently self-reported. 3S has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow unauthorized actors access to unintended functionality and/or information.

Library Manager Advisory

This advisory describes a cross-site scripting vulnerability in the CODESYS V3 Library Manager. The vulnerability was reported by Heinz Füglister of WRH Walter Reist Holding AG. 3S has a new version that mitigates the vulnerability. There is no indication that Füglister has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow malicious content from manipulated libraries to be displayed or executed.

Web Server Advisory

This advisory describes two vulnerabilities in the CODESYS V3 web server. The vulnerability was reported by Ivan Cheyrezy of Schneider Electric. 3S has new versions that mitigate the vulnerability. There is no indication that Cheyrezy has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Path traversal - CVE-2019-13532; and

• Stack-based buffer overflow - CVE-2019-13548

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow an attacker to create a denial-of-service condition, to perform remote code execution, or to access restricted files.

NOTE 1: It is good to see cooperative sharing of vulnerability information between vendors, but I suspect that Schneider reported these vulnerabilities because they found them in their own product that used the CODESYS web server as a third-party component of one or more of their products. It will be interesting to see how long it takes Schneider to report these vulnerabilities.

NOTE 2: 3S has not yet reported any of the vulnerabilities in the above advisories on their web site. They did, however, publish an advisory on another product earlier this week that I will discuss tomorrow.

Philips Advisory

This advisory describes two vulnerabilities in the Philips IntelliVue WLAN, portable patient monitors. The vulnerabilities were reported by Shawn Loveric of Finite State, Inc. One of the affected WLAN versions is out-of-support and will not receive mitigation actions. Philips intends to have a patch available by the end of the year.

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerabilities to cause corruption of the IntelliVue WLAN firmware and impact to the data flow over the WLAN Version A and WLAN Version B wireless modules. This would lead to an inoperative condition alert at the device and Central Station. The Phillips Advisory reports that it would take “an unauthorized user with a high skill level and access to the device’s local area network” to exploit the vulnerabilities.