4 Advisories Published – 2-20-20

Today the CISA NCCIC-ICS published four control system security advisories for products from Auto-Maskin, Honeywell, Rockwell Automation and B&R Industrial Automation.

Auto-Maskin Advisory

This advisory describes six vulnerabilities in the Auto-Maskin RP 210E Remote Panels, DCU 210E Control Units, and Marine Observer Pro (Android App). The vulnerability is apparently self-reported. Auto-Maskin has new firmware that mitigates the vulnerability.

The six reported vulnerabilities are:

• Cleartext transmission of sensitive information (2) - CVE-2018-5402 and CVE-2018-5401;

• Origin validation error - CVE-2018-5400;

• Use of hard-coded credentials - CVE-2018-5399;

• Weak password recovery mechanism for forgotten password - CVE-2019-6560; and

• Weak password requirements - CVE-2019-6558

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow a remote attacker to gain root access to the underlying operating system of the device and may allow read/write access.

Honeywell Advisory

This advisory describes two vulnerabilities in the Honeywell NOTI-FIRE-NET Web Server (NWS-3). The vulnerabilities were reported by Gjoko Krstikj. Honeywell has a firmware update that mitigates the vulenrabilities. There is no indication that Krstiki has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Authentication bypass by capture-replay - CVE-2020-6972; and

• Path traversal - CVE-2020-6974

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to allow an attacker to bypass web server authentication methods.

Rockwell Advisory

This advisory describes a deserialization of untrusted data vulnerability in the Rockwell FactoryTalk Diagnostics. The vulnerability was reported by rgod via the Zero Day Initiative. Rockwell has provided generic workarounds pending the development of updated software.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow a remote unauthenticated attacker to execute arbitrary code with SYSTEM level privileges.

B&R Advisory

This advisory describes an improper authorization vulnerability in the SNMP implementation in the B&R Automation Studio and Automation Runtime. The vulnerability was reported by Yehuda Anikster and Amir Preminger of Claroty. B&R is not able to fix the underlying SNMP vulnerability and has provided generic workarounds.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to allow a remote attacker to modify the configuration of affected devices.