Yesterday the CISA NCCIC-ICS published six control system
security advisories for products from Rockwell, Johnson Controls (2) and
Siemens (3). They also updated 13 advisories for products from Siemens. Yes, it
is going to be a long post.
Rockwell Advisory
This advisory
describes four vulnerabilities in the Rockwell MicroLogix 1400 Controllers,
MicroLogix 1100 Controllers, and RSLogix 500 Software. The vulnerabilities were
reported by Ilya Karpov, Evgeny Druzhinin from ScadaX Security and Dmitry
Sklyarov from Positive Technologies. Rockwell has updates that mitigate the
vulnerabilities. There is no indication that the researchers have been provided
an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker could
remotely exploit the vulnerabilities to allow an attacker to gain access to
sensitive project file information including passwords.
NOTE: I briefly
reported on and listed these vulnerabilities last Saturday.
Metasys Advisory
This advisory
describes an improper restriction of XML external entity reference
vulnerability in the Johnson Controls Metasys. The vulnerability was reported
by Lukasz Rupala. Johnson Controls has an executable file that mitigates the
vulnerability. There is no indication that Rupala has been provided an opportunity
to verify the efficacy of the fix.
NOTE: the Johnson Controls advisory
reports that this is a third party vulnerability in the Microsoft .NET
framework.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit this vulnerability to allow a denial-of-service attack
or disclosure of sensitive data.
Kantech Advisory
This advisory
describes an improper input validation vulnerability in the Johnson Controls Kantech
EntraPass security management software. The vulnerability is self-reported.
Johnson Controls has a new version that mitigates the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker
could remote exploit this vulnerability to allow malicious code execution with
system-level privileges.
Spectrum Power Advisory
This advisory
describes a basic XSS vulnerability in the Siemens Spectrum Power 5 grid
control system. The vulnerability was reported by Kudelski Security Pen-testing
Team. Siemens provides generic workarounds to mitigate the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to affect the confidentiality or
integrity of the data and programming of the device.
S7-300 CPUs Advisory
This advisory
describes an uncontrolled resource consumption vulnerability in the Siemens SIMATIC
S7-300 CPUs and SINUMERIK Controller over Profinet. The vulnerability was
reported by Peter Cheng of Elex Cybersecurity, Inc. Siemens has an update that
mitigates the vulnerability. There is no indication that Cheng has been
provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to cause the affected device to go
into defect mode resulting in a denial-of-service condition.
SiNVR Advisory
This advisory
describes ten vulnerabilities in the Siemens SiNVR 3 video management platform.
The vulnerabilities are self-reported. Siemens has provided generic workarounds
to mitigate the vulnerabilities.
The ten reported vulnerabilities are:
• Path traversal - CVE-2019-19290, CVE-2019-19296
and CVE-2019-19297;
• Cleartext storage in file or on a
disk - CVE-2019-19291;
• SQL injection - CVE-2019-19292;
• Cross-site scripting - CVE-2019-19293
and CVE-2019-19294;
• Insufficient logging - CVE-2019-19295;
• Improper input validation - CVE-2019-19298;
and
• Weak cryptography for passwords -
CVE-2019-19299
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to allow unauthorized access to server
data and possible denial-of-service conditions.
S7-300 Update
This update provides
new information for an advisory that was originally
published on December 13th, 2016 and most recently
updated on January 24th, 2018. The updates provides and updated
vulnerability description.
SIMATIC Update #1
This update
provides new information on an advisory that was was originally
published on December 10th, 2019 and most recently
updated on February 11th, 2020. The new information includes
updated version and mitigation information for the SIMATIC IPC DiagMonitor.
Industrial Products Update #1
This update
provides new information on an advisory that was originally published on April
9th, 2019 and most recently
updated on February 11th, 2020. The new information includes
updated version and mitigation information for:
• SIMATIC IPC DiagMonitor; and
• SINEC
Industrial Products Update #2
This update
provides new information on an advisory that was originally
published on September 10th, 2019 and most recently
updated on February 11th, 2020. The new information includes:
• Updated version and mitigation
information for:
◦ SINEMA Remote Connect Server;
◦ SCALANCE M-800, S615;and
◦ RUGGEDCOM RM1224
• Added affected products SIMATIC
CP 1623 and CP 162; and
• Corrected information for SIMATIC
MV500
PROFINET Update #1
This update
provides new information on an advisory that was originally
published on October 10th, 2019 and most recently
updated on February 11th, 2020. The new information includes
updated version and mitigation information for SIMATIC S7-300 CPU family.
IRT-Devices Update
This update
provides new information on an advisory that was originally
published on October 10th, 2019 and most recently
updated on February 11th, 2020. The new information includes
updated version and mitigation information for SIMATIC S7-300 CPU family.
SIMATIC Update #2
This update
provides new information on an advisory that was originally
published on December 10th, 2019. The new information includes:
• Removed exclusion of SIMATIC
S7-1500 CPU 1518-4 PN/DP; and
• Added patch links for:
◦ ET200 CPU 1515 SP2; and
◦ SIMATIC S7-1500 Software Controller.
NOTE: NCCIC-ICS did not include a link to the Siemens advisory.
SIMATIC Update #3
This update
provides new information on an advisory that was originally
published on December 10th, 2019 and most recently
updated on February 11th, 2020. The new information includes links
for WinCC Runtime.
SPPA-T3000 Update
This update
provides new information on an advisory that was originally
published on December 17th, 2019. The new information includes
updates and configuration recommendations
SIMATIC Update #4
This update
provides new information on an advisory that was originally
published on February 11th, 2020. The new information includes
updated version and mitigation information for SIMATIC ET 200SP Open Controller
CPU 1515SP PC2.
SIMATIC Update #5
This update
provides new information on an advisory that was originally
published on February 11th, 2020. The new information includes
updated version and mitigation information for SIMATIC NET PC Software.
SIMATIC Update #6
This update
provides new information on an advisory that was originally
published on February 11th, 2020. The new information includes
updated version and mitigation information for SIMATIC S7-300 PN/DP CPU family.
PROFINET Update #2
This update
provides new information on an advisory that was originally
published on February 11th, 2020. The new information includes a
new affected product; SOFTNET-IE PNIO.
Other Siemens Updates
There were two additional Siemens updates that were
published yesterday. I will address those Saturday as there are no
NCCIC-ICS advisories associated with those particular vulnerabilities.
Posts
No comments:
Post a Comment