Yesterday the CISA NCCIC-ICS published nine control system
security advisories for products from Siemens (6), Triangle MicroWorks (2) and
Eaton. They also published updates for five advisories for products from
Siemens.
TIM Advisory
This
advisory
describes an active debug code vulnerability in the Siemens TIM communication
modules. This vulnerability was self-reported. Siemens has new versions that
mitigate the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to allow an unauthenticated attacker
with network access to gain full control over the device.
KTK Advisory
This
advisory
describes an uncontrolled resource consumption vulnerability in the Siemens KTK,
SIDOOR, SIMATIC, and SINAMICS products. This vulnerability is self-reported.
Siemens has updates available to mitigate the vulnerability.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit this vulnerability to create a denial-of-service
condition.
NOTE: This is the third-party, Interniche OS,
SegmentSmack vulnerability.
SCALANCE Advisory
This
advisory
describes a resource exhaustion vulnerability in the Siemens SCALANCE and
SIMATIC products. This vulnerability is self-reported. Siemens provided generic
work arounds while they continue to work on mitigation measures.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit this vulnerability to create a denial-of-service
condition.
NOTE: This is the third-party, VX Works OS,
SegmentSmack vulnerability.
SIMOTICS Advisory
This
advisory
describes a business logic error vulnerability in the Siemens SIMOTICS, Desigo,
APOGEE, and TALON products. The vulnerability was self-reported. Siemens
provided generic workarounds.
NCCIC-ICS reports that a relatively low-skilled attacker on
an adjacent network could exploit this vulnerability to allow an attacker to
affect the availability and integrity of the device.
Industrial Devices Advisory
This
advisory
describes two vulnerabilities in the Siemens IE/PB-Link, RUGGEDCOM, SCALANCE,
SIMATIC and SINEMA products. The vulnerabilities are self-reported. Siemens has
updates that mitigate the vulnerabilities.
The two reported vulnerabilities are:
• Resource exhaustion - CVE-2018-5390;
and
• Improper input validation - CVE-2018-5391
NCCIC-ICS reports that a relatively low-skilled attacker could
remotely exploit these vulnerabilities to to affect the availability of the devices
under certain conditions.
NOTE: This is the third-party, Linux OS,
SegmentSmack vulnerability.
Climatix Advisory
This
advisory
describes two vulnerabilities in the Siemens Climatix product line. The
vulnerability was reported by Ezequiel Fernandez from Dreamlab Technologies.
Siemens has provided generic workarounds.
The two reported vulnerabilities are:
• Cross-site scripting - CVE-2020-7574;
and
• Basic XSS - CVE-2020-7575
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to allow a remote attacker to
execute arbitrary code to access confidential information without
authentication.
TMW SCADA Advisory
This
advisory
describes three vulnerabilities in the Triangle Microworks (TMW) SCADA Data
Gateway. The vulnerabilities were reported by Incite Team of Steven Seeley and
Chris Anastasio, and Tobias Scharnowski, Niklas Breitfeld, and Ali Abbasi via
the Zero Day Initiative. TMW has a new version that mitigates the vulnerabilities.
There is no indication that the researchers have been provided an opportunity
to verify the efficacy of the fix.
The three reported vulnerabilities are:
• Stack-based buffer overflow - CVE-2020-10615;
• Out-of-bounds read - CVE-2020-10613;
and
• Type confusion - CVE-2020-10611
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit these vulnerabilities to execute arbitrary code and
disclose on affected installations of Triangle Microworks SCADA Data Gateway
with DNP3 Outstation channels. Authentication is not required to exploit these
vulnerabilities.
TMW DNP3 Advisory
This
advisory
describes a stack-based buffer overflow vulnerability in the Triangle
Microworks DNP3 Outstation Libraries. The vulnerability was reported by Incite
Team of Steven Seeley and Chris Anastasio via ZDI. TMW has a new version that
mitigates the vulnerability. There is no indication that the researchers have
been provided an opportunity to verify the efficacy of the fix.
NCCIC-ICS reports that a relatively low-skilled attacker
could remotely exploit the vulnerability to stop the execution of code on
affected equipment.
Eaton Advisory
This
advisory
describes two vulnerabilities in the Eaton HMiSoft VU3. The vulnerabilities were
reported by Natnael Samson (@NattiSamson) via ZDI. The HMiSoft VU3 has reached
end-of-life and is no longer supported by Eaton.
The two reported vulnerabilities are:
• Stack-based buffer overflow - CVE-2020-10639;
and
• Out-of-bounds read - CVE-2020-10637
NCCIC-ICS reports that a relatively low-skilled attacker
with uncharacterized access could exploit the vulnerabilities to crash the
device being accessed and may allow remote code execution or information
disclosure.
Industrial Products Update
This
update
provides additional information for an advisory that was
originally
published on September 10
th, 2019 and
most recently updated
on March 10th, 2020. The new information includes updated
version information and mitigation links for ROX II.
PROFINET Update
This
update
provides additional information for an advisory that was
originally
published on October 10
th, 2019 and
most
recently updated on March 10
th, 2020. The new information
includes updated version information and mitigation links for SIMATIC ET200MP
IM155-5 PN HF.
TIA Portal Update
This
update
provides additional information for an advisory that was
originally
published on January 14
th, 2020. The new information includes
updated version information and mitigation links for TIA Portal V16.
SIMATIC PCS 7 Update
This
update
provides additional information for an advisory that was
originally
published on February 11
th, 2020 and
most
recently updated on March 10
th, 2020. The new information
includes updated version information and mitigation links for SIMATIC WinCC
(TIA Portal) V16.
SIMATIC S7 Update
This
update
provides additional information for an advisory that was
originally
published on February 11
th, 2020 and
most
recently updated on March 10
th, 2020. The new information
includes adding SIMATIC WinAC RTX to the list of affected products.
Other Siemens Updates
Siemens
also
updated five other advisories yesterday. I expect that NCCIC-ICS will
address at least two of these, probably later this week.