Public ICS Disclosures – Week of 10-26-19

This week we have four vendor disclosures from Phoenix Contact, ABB, Johnson Controls, and BD. There are three vendor updates from 3S, Yokogawa, and Belden. There are also three exploit reports from researchers for products from Carel and Intelligent Security Systems. The later may be a 0-day exploit.

Phoenix Contact Advisory

Phoenix Contact published an advisory [.PDF download link] describing an unauthorized access vulnerability in their FL NAT industrial ethernet switch/router. The vulnerability is self-reported. Phoenix Contact provides generic mitigation measures pending the development of new firmware.

ABB Advisory

ABB published an advisory describing an authentication bypass vulnerability in their Power Generation

Information Manager. The vulnerability was reported by Rikard Bodforss at CS3STHLM. ABB has a new version that mitigates the vulnerability. Bodforss has verified the efficacy of the fix.

NOTE: The disclosure blog post by Bodforss has an excellent discussion about the vulnerability disclosure dilemma from the viewpoint of a researchers. Well worth reading.

Johnson Controls Advisory

Johnson Controls has published an advisory describing two vulnerabilities in their FX Supervisory Controller. The vulnerabilities were reported in the third-party QNX operating system. Johnson Controls has patches to mitigate the vulnerability and a new version to be released later this month will fully address the problems.

The two reported vulnerabilities are:

• Information exposure - CVE-2019-8998; and

• Improper authorization - CVE-2019-13528

NOTE 1: I wonder if NCCIC-ICS will update their Tridium advisory to provide a link to this advisory? Nah.

NOTE 2: Just another case of wondering what other vendors use the same vulnerable operating system?

BD Advisory

BD has published an advisory for the DejaBlue remote desktop vulnerabilities in their products. BD has provided generic work arounds while it continues to test and validate the Microsoft patch for BD products.

3S Update

3S published an update of their CODESYS ENI server advisory that was originally published on September 12, 2019. The new information includes:

• Additional mitigation measure;

• Mitigated version updated; and

• CVE added

Yokogawa Update

Yokogawa published an update of their unquoted service path advisory that was originally published on September 27^th, 2019 and most recently updated on October 24^th. The new information is another change to the Exaquantum mitigation.

Belden Update

Belden published an update of their URGENT/11 advisory that was originally published on July 11^th, 2019 and most recently updated on September 5^th. The new information includes updated mitigation information for their EAGLE and EAGLE one products.

Carel Exploits

Red Team Pentesting published exploit code for an unsafe storage of credentials vulnerability in the Carel pCOWeb card. This vulnerability was previously reported in the Rittal Chiller using the pCOWeb card. Red Team Pentesting reports that Carel consideres this product obsolete and no longer provides updates for the firmware.

Red Team Pentesting published exploit code for an unauthenticated access to modbus interface vulnerability in the Carel pCOWeb card. This vulnerability was previously reported in the Rittal Chiller using the pCOWeb card. Red Team Pentesting reports that Carel consideres this product obsolete and no longer provides updates for the firmware.

Intelligent Security System Exploit

Alberto Vargas published exploit code for an unquoted service path vulnerability in the Intelligent Security System SecurOS Enterprise. There is no indication that this disclosure was coordinated with the vendor so this may be a 0-day exploit.