This week we have four vendor disclosures for products from
3S, Moxa (2) and Johnson Controls. There are also three exploit reports for
products from Emerson, FlowChief, and GE.
3S Advisory
3S published an
advisory describing a heap-based buffer overflow vulnerability in their CODESYS
V3 web server. The vulnerability was reported
by an OEM customer and Tenable, Inc. 3S has a new version that mitigates the
vulnerability. There is no indication that Tenable was provided an opportunity
to verify the efficacy of the fix.
NOTE 1: The Tenable report provides proof-of-concept exploit
code.
NOTE 2: A reminder that 3S (Codesys) software is included in
product from a large number of vendors (including the unnamed ‘OEM vendor’ who
reported the vulnerability to 3S). Other vendors will have to fix the problem
in their systems.
Moxa Advisories
Moxa published an
advisory describing a denial of service vulnerability in the PROFINET
implementation in their Moxa’s EDS-G508E, EDS-512E, and EDS-516E Series
Ethernet Switches. The vulnerability was reported by Yuval Ardon and Matan
Dobrushin of Otorio. Moxa has a patch available that mitigates the
vulnerability. There is no indication that the researchers were provided an
opportunity to verify the efficacy of the fix.
Moxa published an
advisory describing an improper sanitization of special elements used in
Web GUI in their EDR-810 Series Secure Routers. The vulnerability was reported
by Neil Pope and Rhys Cable of Motherwell Advanced Technologies Cyber Review
Team. Moxa has a new firmware version that mitigates the vulnerability. There
is no indication that the researchers were provided an opportunity to verify
the efficacy of the fix.
Johnson Controls Advisory
Johnson Controls has published an
advisory on the BlueKeep
vulnerability in their 4190 PC
Annunciator product running on Windows 7® systems. The 4190 PC Annunciator is
out-of-support and Johnson Controls has no replacement product.
Emerson Exploit
Luiz Martinez published an exploit for an unquoted
service path vulnerability in the Emerson PAC Machine. There is no CVE number
associated with this report and no information about coordination with Emerson.
This may be a 0-day exploit.
FlowChief Exploit
Luiz Martinez published an exploit for a denial-of-service
vulnerability in the FlowChief scadaApp for iOS. There is no CVE number
associated with this report and no information about coordination with FlowChief.
This may be a 0-day exploit.
GE Exploit
Luiz Martinez published an
exploit for a denial-of-service vulnerability in the GE Open Proficy HMI-SCADA
app. There is no CVE number associated with this report and no information
about coordination with GE. This may be a 0-day exploit.
Commentary
With all three of the above exploits being potential 0-days,
the question will certainly arise; why did I publish these notices? Am I not
giving publicity to researchers who cannot be bothered coordinating their
disclosures? My intention is to ensure that the users of the affected systems
know that public exploits are available. This would be valuable information for
risk assessment purposes and lacking the information that is widely available
to the ‘bad guys’ is not a good way to stay safe and secure.
Now I would much rather see researchers like Martinez
coordinate their disclosure with the vendor or one of any of a wide variety of
disclosure coordinators (NCCIC-ICS or ZDI for instance). Lacking that, I would
rather see them publishing on public forums like FullDisclosure or exploit-DB
than selling the exploits on the DarkWeb.
Posts
No comments:
Post a Comment