Public ICS Disclosures – Week of 08-31-19

This week we have a vendor disclosure from Niagara and vendor updates from Belden and Phoenix Contact. There is also a researcher report of vulnerabilities for products from Danfoss and a public report of an exploit for previously reported vulnerabilities from Siemens.

Niagara Advisory

Niagara published an advisory describing two privilege escalation vulnerabilities in their QNX operating system that is used in a number of embeded automotive systems. The vulnerabilities are apparently self-reported. Niagara has updates that mitigate the vulnerabilities.

Belden Update

Belden published an update for their advisory on the WindRiver VX works vulnerabilities (Urgent/11). The new information includes product version numbers that mitigate the vulnerabilities.

Phoenix Contact Update

Phoenix Contact published an update [.PDF download] for previously reported vulnerabilities in their AXC F 2152 products. The new information includes an added remediation option for SD-Card issue (page 6).

Danfoss Report

RiskBased Security published a report (see threatpost.com article) describing seven vulnerabilities in the Danfoss AK-EM 800 Enterprise Management solution from Danfoss for the food retail industry. This was a coordinated disclosure and Danfoss has released an updated version that mitigates the vulnerabilities. There is no indication that the researchers have verified the efficacy of the fix.

The seven reported vulnerabilities are:

• Undocumented debug service predictable password remote backdoor;

• LogFilesDownloadServlet unauthorized remote access;

• Web interface user authentication account lockout remote DoS;

• Insecure default permissions local privilege escalation;

• Multiple files insecure default permissions local credential disclosure;

• Web interface default credentials; and

• Unsafe third-party components

Siemens Exploit

Pen Test Partners published a report on their development of an exploit for reversable encryption vulnerabilities in the Siemens SCALANCE switches. Siemens reported these vulnerabilities back in June.