Public ICS Disclosures – Week of 1-25-20

This week we have vendor disclosures from Bosch (4), Schneider, GE and BD. There are also one updated disclosure from Rockwell. Finally, we have two researcher disclosures for products from Eaton and KMC Controls.

Bosch Advisories

Bosch published an advisory describing a deserialization of untrusted data vulnerability in their BVMS Mobile Video Service (BVMS MVS). The vulnerability is self-reported. Bosch has a new version that mitigates the vulnerability.

Bosch published an advisory describing an missing authentication for a critical function vulnerability in their Video Streaming Gateway (VSG). The vulnerability is self-reported. Bosch has a new version that mitigates the vulnerability.

Bosch published an advisory describing a path traversal vulnerability in their BVMS NoTouch deployment. Bosch has a new version that mitigates the vulnerability.

Bosch published an advisory describing a path traversal vulnerability in their Bosch Video Management System (BVMS). The vulnerability is self-reported. Bosch has a new version that mitigates the vulnerability.

Schneider Advisory

Schneider published an advisory describing two vulnerabilities in their EcoStruxure™ Operator

Terminal Expert software. The vulnerabilities were discovered during the Pwn2Own event at the S4x20. Schneider is investigating the vulnerabilities.

NOTE: The rules for the competition prevent public disclosure of the vulnerabilities for 120-days after the event. Schneider is being very proactive about publicly disclosing these 0-day vulnerabilities this early.

The two reported vulnerabilities are:

• An arbitrary DLL loading issue; and

• A path traversal issue

GE Advisory

GE published an advisory describing the effects of the Ekans ransomware on GE’s Proficy products as well as a GE licensing service. They note that: “No known GE Digital product vulnerability is being targeted by EKANS ransomware.”

BD Advisory

BD published an advisory for the Windows CryptoAPI vulnerability in their products. This preliminary advisory provides a list of their products utilize Windows 10, Windows Server 2016, and Windows Server 2019 and may thus be affected by the vulnerability.

Rockwell Update

Rockwell published an update to their Windows CryptoAPI advisory. Rockwell reports that they have successfully qualified the Microsoft patch for the vulnerability.

Eaton Disclosure

Skull Army published a report describing a cross-site scripting vulnerability in the Eaton 5P 850. The report includes proof-of-concept code. There is no indication that Eaton has been informed so this may be a 0-day vulnerability.

KMC Controls Disclosure

Skull Army published a report describing a back-door vulnerability in the KMC Controls BACnet Building Controller. The report includes proof-of-concept code. There is no indication that EMC Controls has been informed so this may be a 0-day vulnerability.

NOTE: The report lists the manufacturer as “KMS Controls”, but the NIST report for the CVE lists the product as “BAC-A1616BC BACnet” and that product is from KMC Controls. I cannot find a listing for ‘KMS Controls”.