Public ICS Disclosure – Week of 4-18-20

This week we have 8 vendor advisories for products from ABB (4), Johnson Controls, Rockwell, BD and Eaton; as well as 3 updated advisories for products from ABB. There are also 3 researcher disclosures for products from P5, Rockwell and Siemens.

ABB Advisories

ABB published an advisory describing a path traversal vulnerability in their UPS Adapter CS141. The vulnerability was reported by Eduardo Cataño Conde. ABB has a new version that mitigates the vulnerability. There is no indication that Conde has been provided an opportunity to verify the efficacy of the fix.

ABB published an advisory describing five vulnerabilities in their ABB Central Licensing System. The vulnerabilities were reported by William Knowles at Applied Risk. ABB will be preparing product specific advisories for these vulnerabilities.

The five reported vulnerabilities are:

• Information disclosure - CVE-2020-8481;

• XML external entity injection - CVE-2020-8479;

• Denial of service - CVE-2020-8475;

• Privilege elevation - CVE-2020-8476; and

• Weak file permissions - CVE-2020-8471

ABB published an advisory describing the impact of their Central Licensing System Vulnerabilities (see above) on their System 800xA, Compact HMI and Control Builder Safe products. A new version of the Central Licensing System is available that mitigates some of the vulnerabilities. There is no indication that Knowles has been provided an opportunity to verify the efficacy of the fix.

ABB published an advisory describing Inter process communication vulnerability in System 800xA. The vulnerabilities were reported by William Knowles at Applied Risk. ABB has provided generic workarounds to mitigate the vulnerability while working on product updates. NOTE: ABB has requested separate CVE numbers for each affected product based upon varying levels of risk in the products.

NOTE: The ABB Alerts and Notifications page also lists two advisories for products from B&R. I have not covered them here because they were covered when they were released by B&R.

Johnson Controls Advisory

Johnson Controls published an advisory describing an XML external entity injection vulnerability in their BCPro Workstation and Building Configuration Tool (BCT) software. The vulnerability is self-reported. Johnson Controls has a patch that mitigates the vulnerability.

Rockwell Advisory

Rockwell published an advisory describing eight third-party vulnerabilities in their FactoryTalk product. The vulnerabilities are in the Gemalto Sentinal LDK Runtime Environment. The Sentinal LDK vulnerabilities were reported by Kaspersky in January of 2018. Rockwell has a new version that mitigates the vulnerabilities.

BD Advisory

BD published an advisory describing a third-party vendor outdated certificate vulnerability in a large number of their products. The problem was identified by ESET in some of their legacy products. BD is working on validating the ESET update.

Eaton Advisory

Eaton published an advisory describing a third-party vendor stack-based buffer overflow vulnerability in their products  supporting DNP3 Protocol. The Triangle MicroWorks vulnerability was reported by NCCIC-ICS (ICSA-20-105-02) last week. Eaton provided generic workarounds while it is evaluating the vulnerability and its effects on their products.

ABB Updates

ABB published an update for their System 800xA Weak File Permissions advisory that was originally published on April 2^nd, 2020. The new information includes an added FAQ question on functional safety.

ABB published an update for their System 800xA Information Manager advisory that was originally published on April 2^nd, 2020. The new information includes an added FAQ question on functional safety. (NOTE: includes statement that: “Under certain conditions exploits of this vulnerability may affect the integrity of safety functions in System 800xA.”)

ABB published an update for their System 800xA Weak Registry Permissions advisory that was originally published on April 2^nd, 2020. NOTE: The ABB Alerts and Notifications page says that this advisory was updated on “2020-04-21” like the previous 2, but the link takes one to the original advisory with no changes. I suspect that the update should include the same added FAQ question seen in the two updates described above. The difference would be in the answer to that FAQ.

Researcher Disclosures

Zero Science published a report describing a stored cross-site scripting vulnerability in the P5 FNIP-8x16A eight channel relay module. The report includes links to an exploit published by LiquidWorm. Zero Science has attempted to contact P5 but has received no response.

Applied Risk published a report describing an insecure registry permissions vulnerability in the Rockwell RSLinx Classic. This vulnerability was reported by NCCIC-ICS on April 9^th, 2020.

Applied Risk published a report describing an insecure file permissions vulnerability in the Siemens TIA Portal. This vulnerability was reported by NCCIC-ICS on January 14^th, 2020 and subsequently updated on April 14^th.