4 Advisories Published – 10-01-19

Today the DHS NCCIC-ICS published three control system security advisories for products from Moxa, Yokogawa and Interpeak and a medical device security advisory for products from Interpeak.

Moxa Advisory

This advisory describes two vulnerabilities in the Moxa Moxa EDR 810 router. According to the Moxa advisory these vulnerabilities was reported by Guillaume Lopes of Randorisec (not included in NCCIC-ICS advisory). Moxa has new firmware that mitigates the vulnerabilities. There is no indication that Lopes was provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper input validation - CVE-2019-10969; and

• Improper access control - CVE-2019-10963

 NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow remote code execution or access to sensitive information.

Yokogawa Advisory

This advisory describes an unquoted search path or element vulnerability in the Yokogawa Exaopc, Exaplog, Exaquantum, Exasmoc, Exarqe, GA10, and InsightSuiteAE products. The vulnerability is self-reported. Yokogawa has revisions or updates for most of the affected products.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow a local attacker to execute malicious files.

NOTE: I briefly reported this vulnerability on Saturday.

Interpeak ICS Advisory

This advisory describes eleven vulnerabilities in Interpeak IPnet stack. These vulnerabilities were previously reported as the Wind River URGENT/11 vulnerabilities. This advisory now reports that the vulnerabilities are also found the following real-time operating systems (RTOS):

• ENEA - OSE4 and OSE5;

• Green Hills Software - INTREGRITY RTOS;

• ITRON; and

• IP Infusion – Zebos;

Interpeak Medical Device Advisory

This advisory describes the same URGENT/11 vulnerabilities due to problems in the Interpeak IPnet stack as described above. The only difference is that this version provides links to medical device vendor advisories.

Commentary

The two Interpeak advisories point out (AGAIN) how interconnected software systems are. Vulnerabilities found in one system are frequently found in 3^rd party software that is used by vendor instead of writing new code. This is done for a variety of reasons, but frequently it is because a vendor does not have either the resources or the expertise in-house to develop the necessary code. This certainly makes economic sense.

Unfortunately, there does not seem to be a system in place to ensure that other vendors that use the same code are notified in a timely manner so that they can fix the related problems. In some cases, I suspect notifications are made, corrective action is taken, but the vendor never reports the vulnerability. The lack of notification is usually due to not wanting to look bad, but it does little to help owners of the affected products who do not update because their systems are ‘working fine’; their decisions might be made differently (or not) if they knew about the vulnerabilities.