Public ICS Disclosures – Week of 03-21-20

This week we have five vendor disclosures for products from Phoenix Contact (2), 3S (2) and Philips along with an update of a previous vendor disclosure from Belden. There is also an exploit publication for products from GE. Finally, an interesting look at control system security and COVID-19 ‘industrial distancing’.

Phoenix Contact Advisories

Phoenix Contact published an advisory [.PDF download link] describing a privilege escalation vulnerability in their Portico Remote desktop control software. The vulnerability was reported by an unnamed researcher. Phoenix Contact has a new version that mitigates the vulnerability. There is no indication that the researcher has been provided an opportunity to verify the efficacy of the fix.

Phoenix Contact published an advisory [.PDF download link] describing an insecure permissions vulnerability in their PC WORX SRT. The vulnerability was reported by  Sharon Brizinov of

Claroty. Phoenix Contact provides generic workarounds to mitigate the vulnerability.

3S Advisories

3S published an advisory [.PDF download link] describing an out-of-bounds memory buffer access vulnerability in their  CODESYS communication protocol. The vulnerability was reported by Carl Hurd of Cisco Talos and an OEM customer. 3S has a new version that mitigates the vulnerability. There is no indication that Hurd has been provided an opportunity to verify the efficacy of the fix.

NOTE: The Talos report includes proof-of-concept exploit code.

3S published an advisory [.PDF download link] describing a heap-based buffer overflow vulnerability in their Web Service application. The vulnerability was reported by Tenable. 3S has a new version that mitigates the vulnerability. There is no indication that the researcher has been provided an opportunity to verify the efficacy of the fix.

NOTE: The Tenable report includes proof-of-concept exploit code.

Philips Advisory

Philips published an advisory describing two vulnerabilities in their AC 2719 Air Purifier when using the Air Matters Android application. Philips reports that this is a chip-level problem, but reportedly a newer version of the application mitigates the vulnerabilities (?). The vulnerabilities were reported by an unnamed researcher.

The two (3 or 4 depending on where you read in the advisory) reported vulnerabilities are:

• Cleartext transmission of information;

• Insufficient Diffie Helman strength; and

• Decompiling Android app

NOTE: Okay, I will admit that I am confused by this advisory. I cannot find a researcher report of these vulnerabilities. If someone wants to step forward and explain this to me, I would appreciate it.

GE Exploit

Ivan Marmolejo has published an exploit for a password denial of service vulnerability in the GE ProficySCADA for iOS. There is no CVE number associated with the exploit report nor any vendor contact reports and I cannot find a report of a similar vulnerability on the GE security advisory page so this looks like a 0-day exploit.

COVID-19

Otorio.com has an interesting blog post about the increase in remote access to industrial systems due to COVID-19. They introduce a fun new term ‘industrial distancing’. It is a quick read, but worth it.