Public ICS Disclosure – Week of 2-29-20

This week we have lots of new ‘information’ on SweynTooth vulnerabilities and three vendor disclosures for products from Rockwell, Phoenix Contact and Moxa.

SweynTooth

In addition to the CISA alert for the SweynTooth  Bluetooth vulnerabilities published this week there was an advisory from the FDA and brief disclosures from the following medical device vendors:

• GE Healthcare;  

• Johnson and Johnson;

• Medtronic;

• BD; and

• Drager

Rockwell Advisory

Rockwell published an advisory describing four vulnerabilities in their MicroLogix Controllers and RSLogix 500 Software. The vulnerabilities were reported by Ilya Karpov, Evgeny Druzhinin from ScadaX Security and Dmitry Sklyarov from Positive Technologies. Rockwell has new versions for some products that mitigate the vulnerabilities. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The four reported vulnerabilities are:

• Use of hard-coded cryptographic key - CVE-2020-6990;

• Use of broken or risky algorithm for password protection - CVE-2020-6984;

• Use of client-side authentication - CVE-2020-6988; and

• Unsecured SMTP data storage - CVE-2020-6980

Phoenix Contact Advisory

Phoenix Contact published an advisory [.PDF download link] describing three vulnerabilities in their  TC ROUTER & TC CLOUD CLIENT devices. The vulnerabilities were reported by Thomas Weber, SEC Consult Vulnerability Lab. Phoenix Contact has new firmware that mitigates the vulnerability. There is no indication that Weber was provided an opportunity to verify the efficacy of the fix.

The three reported vulnerabilities are:

• Improper control of generation of code - CVE-2017-16544;

• Command injection - CVE-2020-9436; and

• Hard-coded certificate - CVE-2020-9435

NOTE: the first vulnerability is an old library problem that has lots of exploits available.

Moxa Advisory

Moxa published an advisory describing an improper authentication vulnerability in their MGate MB3180/MB3280/MB3480/MB3170/MB3270 Series Protocol Gateways. This is a self-reported vulnerability. Moxa has new firmware versions available that mitigate the vulnerability.