Public ICS Disclosures – Week of 2-1-20

This week we have four vendor disclosures for products from Meinberg, Johnson Controls, Eaton and Boston Scientific. There is a researcher report of vulnerabilities in products from Proscend. There are also two exploit reports for products from Wago and Schneider.

Meinberg Advisory

Meinberg published an advisory describing 21 vulnerabilities in their LANTIME firmware. The vulnerabilities were reported by  Michal Bazyli and Jakub Palaczynski. Meinberg has new firmware versions that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NOTE: Nope, not going to do it. See the advisory.

Johnson Controls Advisory

Johnson Controls published an advisory [.docx download link] describing a third-party java script vulnerability in their Metasys Server software. This vulnerability is apparently self-reported. Johnson Controls recommends removing the Kibana service.

NOTE: There are a number of other vulnerabilities reported for the same Kibana open source product on elastic web site.

Eaton Advisory

Eaton published an advisory describing three vulnerabilities in their SMP Gateway. These vulnerabilities are self-reported. Eaton has a new version that mitigates the vulnerability.

The three reported vulnerabilities are:

• Heap-based buffer overflow - CVE-2017-2780 and CVE-2017-2781; and

• Integer overflow - CVE-2017-2782

NOTE: These vulnerabilities affect the processing of x509 certificates in establishing TLS or SSL connections.

Boston Scientific Advisory

Boston Scientific published an advisory for the Windows CryptoAPI vulnerability in their products. They report that they are unaware of any of their products affected by this vulnerability.

Proscend Disclosure

xploited published a report describing a remote code execution vulnerability in the Proscend M302-L / M302-LG series are industrial-grade 4G LTE Cellular Routers. There is no indication that xploited has notified Proscend of the vulnerability, so this may be a 0-day vulnerability.

WAGO Exploit

0X483D published a Metasploit exploit for an authenticated remote code execution vulnerability in the WAGO PFC200. There is no CVE provided for the vulnerability and no indication that WAGO has been notified. This may be a 0-day vulnerability.

Schneider Exploit

COSMIN CRACIUN published an exploit for an authenticated command injection vulnerability in the Schneider U.Motion Builder. This vulnerability was reported by Schneider in April 2018.