5 Advisories and 2 Updates Published – 12-19-19

Today the CISA NCCIC-ICS published four control system security advisories for products from Reliable Controls, WECON, Equinox and Moxa; and a medical device security advisory for products from Philips. They also updated two previously issued advisories for products from Omron and AVEVA.

Reliable Controls Advisory

This advisory describes a cross-site scripting vulnerability in the Reliable Controls MACH-ProWebCom/Sys building controllers. The vulnerability was reported by Gjoko Krstic of Applied Risk. Reliable Controls has a new firmware version that mitigates the vulnerability. There is no indication that Krstic was provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit this vulnerability to allow an attacker to execute commands on behalf of the affected user.

NOTE: I briefly reported on this vulnerability back in August when Applied Risk published their report because they did not receive a reply from Reliable Controls about their vulnerability report.

WECON Advisory

This advisory describes a stack-based buffer overflow vulnerability in the WECON PLC Editor. The vulnerability was reported by Francis Provencher (PRL) and Natnael Samson (Natti) via the Zero Day Initiative. WECON is working on a solution to this vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit this vulnerability to allow an attacker to execute code under the privileges of the application.

Equinox Advisory

This advisory describes an SQL injection vulnerability in the Equinox Control Expert HMI/SCADA management platform. The vulnerability was reported by Juan Pablo Lopez Yacubian. NCCIC-ICS reports that Equinox has not responded to requests for information on mitigating this vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow remote code execution.

Moxa Advisory

This advisory describes an uncontrolled resource consumption vulnerability in the Moxa EDS-G508E, EDS-G512E, and EDS-G516E Series Ethernet Switches. The vulnerability was reported by Yuval Ardon and Matan Dobrushin of Otorio. Moxa has a patch that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to  cause the target device to go out of service.

NOTE: I briefly reported on this vulnerability back in November.

Philips Advisory

This advisory describes an inadequate encryption strength vulnerability in the Philips Veradius Unity, Pulsera, and Endura Dual WAN Routers. The vulnerability was reported by Daniel Yagudayev from New York Presbyterian Hospital. Philips has configuration information update available to mitigate the vulnerability. There is no indication that the researcher has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that an uncharacterized attacker with uncharacterized access could exploit the vulnerability to compromise the management interface of the front end router impacting the availability of data transfer via wireless communication.

NOTE: I am seeing an increasing number of researchers reporting medical device security issues from hospitals. I hope that this is an indication of a growing security awareness/capability in the medical arena.

Omron Update

This update provides additional information on an advisory that was originally published on November 14^th, 2019. The new information was the addition of the following words to the vulnerability description:

“Version 5.0.8703 QS of TeamViewer is vulnerable to the items listed at the following location: Version 5.0.8703 QS TeamViewer vulnerabilities.”

NOTE: The version number is the same as was originally published so I do not know what these words mean.

AVEVA Update

This update provides additional information on an advisory that was originally published on October 17^th, 2019. This advisory added the Schneider Power SCADA Operation to the list of affected products.

I briefly reported on the Schneider advisory supporting this addition last Saturday, but I did not note that it was associated with the AVEVA vulnerability.