Saturday, December 14, 2019

Public ICS Disclosure – Week of 12-07-19


This week we have vendor disclosures from Siemens, Schneider (4) and Red Lion as well as advisory updates from Siemens (2) and Schneider. We also have security researcher reports for products from Advantech (2) and Schneider. And finally, we have an exploit published for products from Omron.

Siemens Advisory


Siemens published an advisory describing 53 vulnerabilities in their SPPA-T3000 servers. Vulnerabilities were reported by Gleb Gritsai, Eugenie Potseluevskaya, Sergey Andreev, and Radu Motspan from Kaspersky Lab; Vyacheslav Moskvin and Ivan B from Positive Technologies; and Can Demirel from Biznet Bilisim. Siemens has a new service pack for one of the affected servers that addresses a very limited number (3) of the applicable vulnerabilities. There is no indication that any of the researchers have been provided an opportunity to verify the efficacy of the fix.

NOTE 1: This is the advisory discussed in the TWITTER® thread I mentioned earlier this week.

NOTE: The first vulnerability reported in the advisory (CVE-2018-4832) was previously reported in other Siemens products. Siemens has not yet provided updates for all of those affected products and this is not one of the vulnerabilities remediated in this advisory.

Siemens Updates


Siemens published an update for an advisory that was originally published on November 12th, 2019. The new information includes:

• Added SIMATIC S7-200 SMART to the list of affected devices; and
• SIPLUS devices now explicitly mentioned in the list of affected products

NOTE: NCCIC-ICS did publish an update for their advisory on this vulnerability on Tuesday, but somehow I overlooked it in my blog post.

Siemens published an update for an advisory that was originally published on July 9th, 2019. The new information includes:

• Updates for SIMATIC IPC2X7E, SIMATIC IPC327E, SIMATIC IPC377E; and
• SIPLUS devices now explicitly mentioned in the list of affected products

Schneider Advisories


Schneider published an advisory describing three improper check for unusual or exception condition vulnerabilities in their Modicon Controllers. The vulnerabilities were reported by Younes Dragoni (Nozomi Networks), Chansim Deng, Mengmeng Young and Gideon Guo. Schneider has new firmware versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Schneider published an advisory describing an improper authorization vulnerability in their EcoStruxure™ Control Expert. The vulnerability was reported by Rongkuan Ma, Xin Che and Peng Cheng (Zhejiang University). Schneider has a new version that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

Schneider published an advisory describing a stack-based buffer overflow vulnerability in their Power SCADA Operation product. The vulnerability is self-reported. Schneider has a new version that mitigates the vulnerability.

Schneider published an advisory describing a permissions, privileges and access control vulnerability in their EcoStruxure Geo SCADA Expert (ClearSCADA). The vulnerability was reported by William Knowles (Lancaster University). Schneider has a new version that mitigates the vulnerability. There is no indication that Knowles has been provided an opportunity to verify the efficacy of the fix.

NOTE: Earlier this week there had been a fifth advisory listed on the Schneider security notifications site for their Saitel DP (866e) and Saitel DR (HUe) products, but that advisory has since been removed from the list.

Red Lion Advisory


Red Lion published an advisory describing the URGENT/11 vulnerabilities in their NT24k Switch Series. The vulnerability is self-reported. Red Lion has a firmware upgrade the implements the Wind River patch.

Advantech Researher Reports


Mat Powell from the Zero Day Initiative published a report of a zero-day stack-based buffer overflow vulnerability in the Advantech Web Access product. The vulnerability has been coordinated through NCCIC-ICS. Advantech apparently reported that the vulnerability is in a third-party component but has not shared with NCCIC-ICS whom that third-party is. I do not know why NCCIC-ICS has not yet released an advisory on this vulnerability.

Tenable published a report [corrected bad link - 22:10 EDT 3-26-20] describing a stack-based buffer overflow vulnerability in the Advantech Web Access product. Advantech has a new version that Tenable has confirmed mitigates the vulnerability. The Tenable report includes exploit code.

NOTE: The two reports both describe stack-based buffer overflows, but in different components of the product (BwOpcBs.exe in the ZDI report; BwPAlarm.dll in the Tenable report)

Schneider Researcher Report


Applied Risk published a report describing an insecure file permissions vulnerability in the Schneider ClearScada product. This is probably the same vulnerability as described in the Schneider ExoStruxure advisory above as William Knowles is associated with both reports.

Omron Exploit


NOBODY published an exploit for an unrestricted externally accessible lock vulnerability in the Omron CJ2M PLC. This appears to be the same vulnerability that was reported this week.


No comments:

 
/* Use this with templates/template-twocol.html */