Public ICS Disclosures – Week of 11-30-19

This week we have three vendor disclosures for products from BD, GE and Johnson Controls and an URGENT/11 update from Belden. There are also three exploit code reports for products from Fronius, Salto and YachtControl.

BD Advisory

BD published an advisory describing and anti-virus bypass vulnerability in BD products with workstations running CylancePROTECT®. The third-party vulnerability was originally reported by Skylight. BD recommends updating the CylancePROTECT product.

NOTE: I wonder what other ICS vendors bundle CylancePROTECT as a cybersecurity tool? Since the product does not need to do signature updates it would seem to be a tool designed for control system security.

GE Advisory

GE published an advisory describing two privilege escalation vulnerabilities in the GE Digital HMI/SCADA iFIX product. The vulnerability was reported by Applied Risk. GE provides generic mitigation guidance for the vulnerability.

Johnson Controls Advisory

Johnson Controls published an advisory describing vulnerabilities in a third-party component of their Software House C•CURE 9000 application. The vulnerabilities in the Flexera FlexNet Publisher licensing manage have been previously reported. Johnson Controls has an update that mitigates the vulnerability.

Belden Update

Belden published an update of their URGENT/11 advisory that was originally published July 29^th, 2019 and most recently updated on October 30^th, 2019. The new information includes update information for Hirschmann HiOS RSPE TSN.

Fronius Expliot

SEC Consult published a report containing exploit code for four vulnerabilities in the solar inverter series of Fronius. This is reportedly a coordinated disclosure. Fronius has a firmware patch that mitigates the vulnerabilities. There is no indication that SEC Consult has been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Unencrypted communication;

• Authenticated path traversal - CVE-2019-19229;

• Backdoor account - CVE-2019-19228; and

• Outdated and vulnerable software components

NOTE: This is the first time that I have seen an easter-egg included in a vulnerability report.

Salto Exploit

SEC Consult published a report containing exploit code for six vulnerabilities in the Salto ProAccess Space management software for an access control system. This is reportedly a coordinated disclosure. Salto has a patch that mitigates the vulnerabilities. There is no indication that SEC Consult has been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Path traversal - CVE-2019-19458;

• Arbitrary file write - CVE-2019-19459;

• Stored cross-site scripting - CVE-2019-19457;

• Webserver running as Windows Service per default - CVE-2019-19460;

• Authorization issues; and

• Cleartext transmission of sensitive data

Yachtcontrol Exploit

Hodorsec published exploit code for a remote code execution vulnerability in the Yachtcontrol web application. The report includes a CVE number so this may be a coordinated disclosure.