Public ICS Disclosures – Week of 12-14-19

This week we have five vendor disclosures for products from WAGO, ABB, 3S, BD and Symantech. There is also an updated advisory from 3S.

WAGO Advisory

CERT-VDE published an advisory describing 9 vulnerabilities in the WAGO Series PFC100 and Series PFC200 devices. The vulnerabilities were reported (CVE links to individual reports) by Kelly Leuschner of Cisco Talos. WAGO has a specific workaround and firmware updates to mitigate the vulnerabilities. There is no indication that Leuschner has been provided an opportunity to verify the efficacy of the fix.

The nine reported vulnerabilities are:

• Information exposure through sent data - CVE-2019-5073;

• Buffer access with incorrect length value (2) - CVE-2019-5074 and CVE-2019-5075;

• Missing authentication for critical function (3) - CVE-2019-5077, CVE-2019-5078 and CVE-2019-5080; and

• Classic buffer overflow (3) - CVE-2019-5079, CVE-2019-5081 and CVE-2019-5082

NOTE1: The following Talos reports include exploit code: CVE-2019-5073; CVE-2019-5074; CVE-2019-5075; CVE-2019-5079; CVE-2019-5081; CVE-2019-5082

NOTE2: Talos reports that some of these vulnerabilities are in third-party components from 3S.

ABB Advisory

ABB published an advisory that describes four vulnerabilities in their PB610 Panel Builder 600. The vulnerabilities were reported by NSFOCUS. ABB has a new version that mitigates the vulnerabilities. There is no indication that NSFOCUS was provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• PB610 HMIStudio crashes after launching an empty *.JPR application file;

• PB610 HMISimulator does not check content-length of the HTTP request;

• PB610 HMIStudio accepts malicious DLL file in an application; and

• PB610 HMISimulator provides interface with access to arbitrary files

3S Advisory

3S published an advisory [.PDF download link] describing a null pointer dereference vulnerability in their CODESYS V2 runtime systems. The vulnerability was reported by Chen Jie from NSFOCUS. 3S has new versions that mitigate the vulnerability. There is no indication that Chen has been provided an opportunity to verify the efficacy of the fix.

3S Update

3S published an update [.PDF download link] of an advisory that was originally published on November 20^th, 2019. The new data includes updated exploit information.

BD Advisory

BD has published an advisory describing the impact of the Internet Explorer® Scripting Engine Memory Corruption Vulnerability in their products. The vulnerability is self-reported. BD is working to test and validate the Microsoft patch for BD products that use the affected third-party components.

Symantec Advisory

Symantec has published an advisory describing an improper authentication vulnerability in their Industrial Control System Protection product. The vulnerability was reported by Tyler Holland at Horne Cyber Solutions. Symantec has an update that mitigates the vulnerability. There is no indication that Holland has been provided an opportunity to verify the efficacy of the fix.