Public ICS Disclosures – Week of 3-14-20

This week we have four vendor disclosures for products from Bosch, Schneider, Moxa and Eaton. There are also two interesting cybersecurity related announcements from Phillips and Meinberg.

Bosch Advisory

Bosch published an advisory describing an improper input validation vulnerability in the Bosch Rexroth S20-PN-BK+/S20-ETH-BK fieldbus couplers. The vulnerability is in a third-party component of the devices from Phoenix Contact that was originally reported in September 2018. Bosch provided generic controls to mitigate the vulnerability. These are the same controls recommended by Phoenix Contact.

Schneider Advisory

Schneider published an advisory describing an injection vulnerability in their Modicon Controllers, EcoStruxure™ Control Expert and Unity Pro Programming Software. The vulnerability was reported by Airbus Cybersecurity. Schneider has hotfixes available to mitigate this vulnerability.

Schneider reports that:

“Since alerting us to the vulnerability, Airbus Cybersecurity and Schneider Electric have collaborated to validate the research and to assess its true impact. Our mutual findings demonstrate that while the discovered vulnerability affects Schneider Electric offers, it equally impacts many other vendors and the global industrial automation market in general, especially when the baseline assumption of the attack technique Airbus Cybersecurity demonstrated is considered. Given certain conditions, and assuming an attacker has access to the network, many devices available from several different industrial control vendors are likewise vulnerable.”

Schneider provides links to the Airbus Cybersecurity site and blog for further details. As of this morning I can find nothing on that site.

Moxa Advisory

Moxa published an advisory describing two vulnerabilities in the Moxa OnCell Central Manager Cellular Management Software. The vulnerability was reported by Sergey Temnikov from Kaspersky ICS CERT. These vulnerabilities are in a third-party component; Apache Flex BlazeDS. Moxa has a security patch that mitigates the vulnerability. There is no indication that the researchers have been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Deserialization of trusted data - CVE-2019-15696 (Apache CVE-2017-5641); and

• Information exposure - CVE-2019-15697 (Apache CVE-2015-3269)

The CVE links are to the Kaspersky advisories. Kaspersky has provided the original CVE numbers for the underlying vulnerability. There is at least one publicly available exploit for the original information exposure vulnerability.

Eaton Advisory

Eaton published an advisory describing an eval injection vulnerability in the Eaton  UPS Companion software. The vulnerability was reported by Ravjot Singh Samra. Eaton has a new version that mitigates the vulnerability. There is no indication that Samra has been provided an opportunity to verify the efficacy of the fix.

Cybersecurity Announcements

Phillips published a notice announcing that the Philips Security Center of Excellence was named the first medical device manufacturer to receive a new Underwriters Laboratories (UL) product cybersecurity testing certification (UL IEC 62304).

Meinberg published a notice concerning their continued operations during the COVID-19 outbreak.

Commentary

It is not unusual to see third-party vulnerabilities being reported in control systems. The two reports today are disheartening because of the elapsed time between the reporting of the underlying vulnerability and this week’s advisories. The use of third-party software and libraries is almost unavoidable in the current development environment; companies just cannot afford (time or money) to write complex software from scratch.

We expect manufacturers to watch for vulnerability announcements for the equipment and software they use in their manufacturing processes and then conduct a risk assessment to determine if that vulnerability provides an unacceptable risk to their operations. We need to expect control system vendors to perform the same sort of process. Perhaps companies buying control system components should be asking their vendors to describe their process for identifying and fixing third-party vulnerabilities in their products.