Public ICS Disclosures – Week of 11-09-19

This week we have four vendor disclosures for products from ABB, Gemalto and Schneider (2). We also have updates for products from Schneider (6) and Siemens (2). Finally, we have 26 exploits published for products from Siemens and several building access control systems.

ABB Advisory

ABB published an advisory describing an Active-X/Java Script vulnerability in the ABB Automation Builder and Drive Application Builder products. The vulnerability is in a third-party component from 3S. The vulnerability was reported by Heinz Füglister of WRH Walter Reist Holding AG. ABB provides generic workarounds pending development of new versions that will mitigate the vulnerability.

Gemalto Advisory

Gemalto published an advisory (available to registered customers only) for undisclosed vulnerabilities in the Sentinel LDK License Manager.

Schneider Advisories

Schneider published an advisory describing a failure to preserve web page structure vulnerability in the Andover Continuum line of controllers. The vulnerability was reported by Ken Pyle, DFDR Consulting. Schneider recommends disabling the web server in this legacy product.

Schneider published an advisory describing and information exposure vulnerability in the Modicon Controllers. The vulnerability is self-reported. Schneider has provided generic workarounds to mitigate the vulnerability.

Schneider Updates

Schneider published an update for their  URGENT/11 advisory. The new information includes:

• Updated Remediations for ConneXium Industrial Firewall, Easergy Micom C264 Controller, and Modicon M262 Logic/Motion Controller;

• Enhanced product list with additional details for Modicon X80 I/O modules;

• Added Modicon Quantum Head 140 CRP and Modicon Momentum Unity; and

• Removed TMSES4 Ethernet Module from affected products

Schneider published an update for their DejaBlue advisory.  The new information includes:

• Added EcoStruxure Technology Platform (ETP) to the affected product list;

• Updated remediation for EcoStruxure Substation Operation Gateway (page 4), and

• Updated the affected product details for Conext Control

Schneider published an update for their BlueKeep advisory. The new information includes updated “Conext Control” affected products and remediation detail.

Schneider published an update for their ZombieLoad advisory. The new information includes updated affected product details for “Conext Control” product.

Schneider published an update for their ConneXium Gateway advisory that was originally published on May 14^th, 2019. The new information includes updated affected products to include EGX100 and

ECI850 variants.

Schneider published an advisory for their Triconex advisory that was originally published on March 12^th, 2019. The new information includes remediations updated.

Siemens Updates

Siemens published an update for their GNU/Linux advisory that was originally published on November 27^th, 2018. The new information includes adding six new CVE’s:

• CVE-2017-18551;

• CVE-2018-5390;

• CVE-2018-20856;

• CVE-2019-15902,

• CVE-2019-15916; and

• CVE-2019-15921

Siemens published an update for their ZombieLoad advisory. The new information includes updated version and mitigation information for:

• SIMOTION P320-4E;

• SIMOTION P320-4S; and

• SIMATIC IPC547G

Siemens Exploit

LiquidWorm published an exploit for a previously disclosed vulnerability in the Siemens Desigo PX automation controllers.

Building Automation Exploits

LiquidWorm published a series of exploits for building automation vulnerabilities that were described in a white paper by Applied Risk in June.