1 Alert and 4 Advisories Published – 3-3-20

Yesterday the CISA NCCIC-ICS published a control system security alert for products from SweynTooth and four security advisories for products form Moxa, Omron, Phoenix Contact, and Emerson.

SweynTooth Alert

This alert describes multiple Bluetooth Low Energy (BLE) vulnerabilities known as the SweynTooth vulnerabilities. The vulnerabilities were reported by Matheus E. Garbelini, Sudipta Chattopadhyay, and Chundong Wang of the Singapore University of Technology and Design. NCCIC-ICS is coordinating with chip vendors on a resolution of these vulnerabilities.

Last month I briefly reported on an advisory issued by Philips for these vulnerabilities.

Moxa Advisory

This advisory describes twelve vulnerabilities in the Moxa Moxa AWK-3131A wireless networking appliance. The vulnerabilities were reported by Jared Rittle, Carl Hurd, Patrick DeSantis, and Alexander Perez Palma of Cisco Talos. Moxa has a patch that mitigates the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker using publicly available code could remotely exploit the vulnerabilities to allow an attacker to gain control of the device and remotely execute arbitrary code.

NOTE: Last Saturday I reported briefly on these vulnerabilities and provided links to the individual Talos reports that provide the proof-of-concept exploit code for these vulnerabilities.

Omron Advisory

This advisory describes an uncontrolled resource consumption vulnerability in the Omron PLC CJ Series. The vulnerability was reported by Jipeng You (XDU). Omron provided generic workarounds to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to cause a denial-of-service condition.

Phoenix Contact Advisory

This advisory describes an incorrect permission assignment for critical resource vulnerability in the Phoenix Contact Emalytics Controller ILC 2050 BI(L). The Phoenix Contact advisory notes that the vulnerability was reported by Anil Parmar. Phoenix Contact has a new version that mitigates the vulnerability. There is no indication that Parmar has been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an attacker to change the device configuration and start or stop services.

NOTE: I briefly reported on this vulnerability last month.

Emerson Advisory

This advisory describes an improper access control vulnerability in the Emerson ValveLink. The vulnerability is self-reported. Emerson has a new version that mitigates the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with uncharacterized access could exploit the vulnerability to allow arbitrary code execution.