Today the CISA NCCIC-ICS published three control system security
advisories for products from Rockwell and ABB (2).
Rockwell Advisory
This advisory describes
an improper access control vulnerability in the Rockwell Allen-Bradley Stratix
5950. The vulnerability was reported by Cisco (actually it appears that it is a
third-party vulnerability from Cisco that was originally reported
in May of last year). Rockwell has a new firmware version that mitigates
the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to allow an attacker to write a
modified image to the component.
NOTE: There is at least one publicly available exploit (Thrangycat) for
this vulnerability on Cisco equipment. That is not mentioned in either the
NCCIC-ICS advisory nor the Rockwell
advisory (which is not referenced in the NCCIC-ICS advisory).
Asset Suite Advisory
This advisory describes
an authorization bypass through user controlled key vulnerability in the ABB Asset
Suite. This vulnerability is self-reported. ABB has an update that mitigates
the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit this vulnerability to allow an attacker access to
unauthorized information in the application by direct resource access.
NOTE: I briefly
described this vulnerability last month.
eSOMS Advisory
This advisory describes
13 vulnerabilities in the ABB eSOMS. These vulnerabilities are self-reported.
ABB has a new version that mitigates the vulnerabilities.
The 13 reported vulnerabilities are:
• Use of web browser cache
containing sensitive information - CVE-2019-19000;
• Improper restriction of rendered
UI layers or frames - CVE-2019-19001;
• Improper neutralization of HTTP
headers for scripting syntax - CVE-2019-19002;
• Sensitive cookie without ‘HTTPOnly’
flag - CVE-2019-19003;
• Protection mechanism failure - CVE-2019-19089;
• Sensitive cookie in HTTPS session
without ‘secure’ attribute - CVE-2019-19090
• Exposure of sensitive information
to an unauthorized actor - CVE-2019-19091;
• External control of critical
state data - CVE-2019-19092;
• Weak password requirements - CVE-2019-19093;
• SQL injection - CVE-2019-19094;
• Cross-site scripting - CVE-2019-19095;
• Cleartext storage of sensitive
information - CVE-2019-19096; and
• Inadequate encryption strength - CVE-2019-19096
NCCIC-ICS reports that a relatively low-skilled attacker could
remotely exploit the vulnerabilities to allow take over a user’s browser
session, discover session-based information, or affect the confidentiality of
sensitive information within the application.
NOTE: I also briefly
described this vulnerability last month.
Posts
1 comment:
Interestingly, Rockwell has never updated an older security advisory on the Stratix 5950: https://www.us-cert.gov/ics/advisories/ICSA-18-184-01 . Rockwell's advisory 1073860 still says that the product is vulnerable to CVE-2018-0228, CVE-2018-0227, CVE-2018-0231, CVE-2018-0240, and CVE-2018-0296, and that the older advisory will be updated when a firmware is released which fixes those old vulnerabilities. It isn't clear to anyone if applying this newly updated firmware, will also fix the old vulnerabilities which have been known in the product for 2 years...
Post a Comment