Public ICS Disclosures – Week of 3-7-20 Part II

In addition to the vendor disclosures I discussed yesterday, we have four vendor disclosures from Schneider and three updated disclosures from Schneider and Siemens (2).

Schneider Advisories

Schneider published an advisory describing two vulnerabilities in the Schneider Interactive Graphical SCADA System (IGSS). The vulnerabilities were reported by an anonymous researcher via the Zero Day Initiative. Schneider has a new version that mitigates the vulnerability. There is no indication that the researcher has been provided an opportunity to verify the efficacy of the fix.

The two reported vulnerabilities are:

• Improper limitation of a path name to a restricted directory - CVE-2020-7478; and

• Missing authentication for a critical function - CVE-2020-7479

Schneider published an advisory describing an improper check for unusual or exceptional conditions vulnerability in the Schneider Modicon Quantum Ethernet Network module and Quantum / Premium COPRO. The vulnerability was reported by China Information Technology Security Evaluation Centre (CNITSEC). Schneider has a new version for the Quantum Ethernet Network module that mitigates the vulnerability. There is no indication that the researcher has been provided an opportunity to verify the efficacy of the fix.

Schneider published an advisory describing an untrusted search path vulnerability in the Schneider ZigBee Installation Toolkit. The vulnerability was reported by Yongjun Liu of nsfocus. Schneider has a new version that mitigates the vulnerability. There is no indication that Liu has been provided an opportunity to verify the efficacy of the fix.

Schneider published an advisory describing three vulnerabilities in the Schneider Andover Continuum Line of Controllers. The vulnerabilities were reported by Niv Levy. Schneider provided generic mitigation measures for this product that is no longer under service support.

Schneider Update

Schneider has published an update for their Urgent/11 advisory that was originally published on August 2^nd, 2019 and most recently updated on February 11^th, 2020. The new information includes mitigation measures for:

• HMIGXU;

• Easergy MiCOM P30;

• Tricon Communication Modules; and

• Trident Communication Integration Module

Siemens Updates

Siemens published an update for an advisory for Intel CPUs that was originally published on February 11^th, 2020. The new information includes updated version and mitigation data for:

• SIMATIC IPC127El;

• SIMATIC IPC627E;

• SIMATIC IPC647E;

• SIMATIC IPC677E; and

• SIMATIC IPC847E

Siemens published an update for an advisory for their ZombieLoad advisory that was originally published on July 9^th, 2019 and most recently updated on February 11^th, 2020. The new information includes updated version and mitigation data for:

• SIMATIC IPC127E; and

• SIMATIC IPC527G