Public ICS Disclosures – Week of 09-07-19

This week we have 11 vendor disclosures for products from Siemens (3), Schneider (3), Bosch (2), 3S, Eaton, and Draeger. We also have 3 vendor updates from Schneider (2) and Siemens.

Siemens Advisories

DejaBlue Advisory

Siemens published an advisory describing the Microsoft Windows® DejaBlue vulnerabilities in the Siemens Healthineers Products. In most of the affected products Siemens is recommending applying the appropriate MS patches.

Siemens repeatedly makes the following observation: “The compatibility of Microsoft security patches with products from Siemens Healthineers that are beyond their End of Support date cannot be guaranteed.”

RUGGEDCOM URGENT/11 Advisory

Siemens published an advisory describing the Wind River URGENT/11 vulnerabilities in the Siemens RUGGEDCOM Win base stations. Siemens provides generic workarounds for the vulnerabilities.

SINEMA Advisory

Siemens published an advisory describing four vulnerabilities in the Siemens r SINEMA Remote Connect Server. The vulnerabilities were reported by Hendrik Derre and Tijl Deneut from HOWEST. Siemens has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Password guessing - CVE-2019-13918;

• Privilege escalation - CVE-2019-13919;

• Cross-site request forgery - CVE-2019-13920; and

• Password hash - CVE-2019-13922

Siemens Update

Siemens published an update for an advisory that was originally published on June 9^th, 2019. This update provides corrected version information and mitigation information for:

• FieldPG M4;

• FieldPG M5; and

• ITP1000

Schneider Advisories

U.Motion Server Advisory

Schneider published an advisory describing six vulnerabilities in the Schneider U.motion din rail and touch panel servers. The vulnerabilities were reported by Zhu Jiaqi and Constantin-Cosmin Craciun. Schneider has a new version that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Cross-site scripting - CVE-2019-6835;

• Improper access control (3) - CVE-2019-6836, CVE-2019-6838 and CVE-2019-6839;

• Server-side request forgery - CVE-2019-6837; and

• Format string - CVE-2019-6840

Modicon Quantum Advisory

Schneider published an advisory describing an improper check for unusual or exceptional conditions vulnerability for the Schneider Modicon Quantum 140 NOE771x1 controllers. The vulnerability is self-reported. Schneider has a new version that mitigates the vulnerability.

TwidoSuite Advisory

Schneider published an advisory describing two vulnerabilities in the Schneider TwidoSuite product. The vulnerability is self-reported. This product is no longer supported.

The two reported vulnerabilities are:

• Untrusted search path;

• Input validation

Schneider Updates

BlueKeep Update

Schneider published an update for an advisory that was originally published on July 12, 2019. The update includes:

• Exploit information; and

• Updated affected product versions

 Floating License Manager Update

Schneider published an update for an advisory that was originally published on May 14^th, 2019. The update provides updated affected product information.

Bosch Advisories

Bosch published two advisories (here and here) describing vulnerabilities in the Access Professional access control system. The vulnerabilities were reported by Oleksii Orekhov. Bosch has a new version that mitigates the vulnerabilities. There is no indication that Orekhov has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Hard-coded credentials - CVE-2019-11898; and

• Improper access control - CVE-2019-11899

3S Advisory

3s published an advisory describing a stack-based buffer overflow vulnerability in the CODESYS V2.3 ENI servers. This vulnerability was reported by Chen Jie from NSFOCUS. 3S has an update that mitigates the vulnerability. There is no indication that Chen has been provided an opportunity to verify the efficacy of the fix.

Eaton Advisory

Eaton published an advisory describing multiple undisclosed vulnerabilities in the Eaton Intelligent Power Protector. The vulnerabilities are apparently self-reported. Eaton has a new version that mitigates the vulnerabilities.

NOTE: Eaton continues to publish unusable security advisories.

Drager Advisory

Drager published an advisory describing the Microsoft Windows® DejaBlue vulnerabilities in Drager products.