5 Advisories Published – 2-25-20

Yesterday the CISA NCCIC-ICS published five control system security advisories for products from Honeywell and Moxa (4).

Honeywell Advisory

This advisory describes three vulnerabilities in the Honeywell WIN-PAK monitoring platform. The vulnerabilities are self-reported. Honeywell has an update available that mitigates the vulnerabilities.

The three reported vulnerabilities are:

• Cross-site scripting - CVE-2020-7005;

• Improper neutralization of HTTP headers for scripting syntax - CVE-2020-6982; and

• Use of obsolete function - CVE-2020-6978

NCCIC-ICS reports that an uncharacterized attacker could remotely exploit the vulnerabilities to allow an attacker to perform remote code execution.

EDS-G516E Advisory

This advisory describes seven vulnerabilities in the Moxa EDS-G516E series, and EDS-510E series ethernet switches. The vulnerabilities were reported by Ilya Karpov and Evgeniy Druzhinin from Rostelecom-Solar, and Georgy Zaytsev of Positive Technologies. Moxa has new firmware that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The seven reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2020-7007;

• Use of broken or risky encryption algorithm - CVE-2020-7001;

• Use of hard-coded cryptographic key - CVE-2020-6979;

• Use of hard-coded credentials - CVE-2020-6981;

• Classic buffer overflow - CVE-2020-6989;

• Cleartext transmission of sensitive information - CVE-2020-6997; and

• Weak password requirements - CVE-2020-6991

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to crash the device, execute arbitrary code, and allow access to sensitive information.

PT-7528 Advisory

This advisory describes six vulnerabilities in the Moxa PT-7528 Series and PT-7828 Series ethernet switches. The vulnerabilities were reported by Ilya Karpov and Evgeniy Druzhinin from Rostelecom-Solar, and Georgy Zaytsev of Positive Technologies. Moxa has a security patch that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The six reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2020-6989;

• Use of broken or risky cryptographic algorithm - CVE-2020-6987

• Use of a hard-coded cryptographic key - CVE-2020-6983;

• Use of hard-coded credentials - CVE-2020-6985;

• Weak password requirements - CVE-2020-6995; and

• Information exposure - CVE-2020-6993

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to crash the device or allow access to sensitive information.

ioLogik 2542-HSPA Advisory

This advisory describes three vulnerabilities in the Moxa ioLogik 2542-HSPA Series Controllers and IOs, and IOxpress Configuration Utility. The vulnerabilities were reported by Ilya Karpov and Evgeniy Druzhinin from Rostelecom-Solar. Moxa has a security patch that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Clear-text storage of sensitive information - CVE-2019-18238;

• Clear-text transmission of sensitive information - CVE-2020-7003; and

• Incorrectly specified destination in a communication channel - CVE-2019-18242

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerabilities to crash the device or allow access to sensitive information.

MB3xxx Advisory

This advisory describes nine vulnerabilities in the Moxa MB3170 series, MB3180 series, MB3270 series, MB3280 series, MB3480 series, and MB3660 series protocol gateways. The vulnerabilities were reported by Ilya Karpov and Evgeniy Druzhinin from Rostelecom-Solar, and Georgy Zaytsev of Positive Technologies. Moxa has new firmware that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The nine reported vulnerabilities are:

• Stack-based buffer overflow - CVE-2019-9099;

• Integer overflow to buffer overflow - CVE-2019-9098;

• Cross-site request forgery - CVE-2019-9102;

• Use of broken or risky encryption algorithm - CVE-2019-9095;

• Information exposure - CVE-2019-9103;

• Clear-text transmission of sensitive information - CVE-2019-9101;

• Weak password requirements - CVE-2019-9096;

• Clear-text storage of sensitive information - CVE-2019-9104; and

• Incorrectly specified destination in a communication channel - CVE-2019-9097

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit these vulnerabilities to crash the device, cause a buffer overflow, allow remote execution of arbitrary code, or allow access to sensitive information.

NOTE: All four of these Moxa advisories cover vulnerabilities that were originally reported by Moxa on September 25^th, 2019.