3 Advisories and 1 Update Published – 3-31-20

Today the CISA NCCIC-ICS published two control system security advisories for products from Mitsubishi Electric and Hirschmann Automation and a medical device security advisory for products from BD. They also updates an advisory for products from Schneider Electric.

Mitsubishi Advisory

This advisory describes an uncontrolled resource consumption vulnerability in the Mitsubishi MELSEC programmable controllers with MELSOFT transmission port (UDP/IP). The vulnerability was reported by Rongkuan Ma, Jie Meng, and Peng Cheng. Mitsubishi provided generic workarounds to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit the vulnerability to render the device unresponsive.

Hirschmann Advisory

This advisory describes a classic buffer-overflow vulnerability in the Hirschmann HiOS, HiSecOS. The vulnerability was reported by Sebastian Krause and Toralf Gimpel of GAI NetConsult. Hirschmann has new versions that mitigate the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

NCCIC-ICS reports that a relatively low-skilled attacker could remotely exploit this vulnerability to allow an unauthenticated, remote attacker to overflow a buffer and fully compromise the device.

NOTE: The NCCIC-ICS advisory is actually based on a second revision of the Belden advisory that was originally reported originally published on February 14^th, 2020 and most recently updated on February 26^th, 2020. The most recently added information from Belden is the CVE number and link.

BD Advisory

This advisory describes a protection mechanism failure vulnerability in the BD Pyxis MedStation and Pyxis Anesthesia (PAS) ES System. The vulnerability is self-reported. BD provides generic workarounds to mitigate the vulnerability. The BD advisory states that they are in the process of deploying a security update that strengthens kiosk mode to mitigate the vulnerability.

NCCIC-ICS reports that a relatively low-skilled attacker with physical access could exploit the vulnerability to allow an attacker to bypass kiosk mode and view and/or modify sensitive data.

Schneider Update

This update provides additional information on an advisory that was originally published on January 16^th, 2020. The new information includes an updated CVSS score for CVE-2018-7794.